2 files changed, 75 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
new file mode 100644
index 0000000000..97bf75f059
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
+From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
+From: Maks Verver <maks@verver.ch>
+Date: Tue, 8 Apr 2025 13:13:55 +0200
+Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+CVE: CVE-2025-32414
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ python/libxml.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+diff --git a/python/libxml.c b/python/libxml.c
+index 1fe8d685..2bf14078 100644
+--- a/python/libxml.c
+++ b/python/libxml.c
+@@ -248,7 +248,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+ 
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len);
+    /* When read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyObject_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+        printf("xmlPythonFileReadRaw: result is NULL\n");
+        return(-1);
+@@ -283,10 +285,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
+        Py_DECREF(ret);
+        return(-1);
+     }
+-    if (lenread > len)
+-       memcpy(buffer, data, len);
+-    else
+-       memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+       printf("xmlPythonFileReadRaw: invalid lenread\n");
+       Py_DECREF(ret);
+       return(-1);
+    }
+    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
+@@ -310,7 +314,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+ 
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
+    /* When io_read() returns a string, the length is in characters not bytes, so
+       request at most len / 4 characters to leave space for UTF-8 encoding. */
+    ret = PyObject_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+        printf("xmlPythonFileRead: result is NULL\n");
+        return(-1);
+@@ -345,10 +351,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
+        Py_DECREF(ret);
+        return(-1);
+     }
+-    if (lenread > len)
+-       memcpy(buffer, data, len);
+-    else
+-       memcpy(buffer, data, lenread);
+    if (lenread < 0 || lenread > len) {
+       printf("xmlPythonFileRead: invalid lenread\n");
+       Py_DECREF(ret);
+       return(-1);
+    }
+    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index c4f76c281d..42672e35bd 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -18,6 +18,7 @@ inherit gnomebase
 SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
           file://run-ptest \
           file://install-tests.patch \
+           file://CVE-2025-32414.patch \
           "
 SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch new file mode 100644 index 0000000000..97bf75f059 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2025-32414.patch
@@ -0,0 +1,74 @@
		1	From d7657811964eac1cb9743bb98649278ad948f0d2 Mon Sep 17 00:00:00 2001
		2	From: Maks Verver <maks@verver.ch>
		3	Date: Tue, 8 Apr 2025 13:13:55 +0200
		4	Subject: [PATCH] [CVE-2025-32414] python: Read at most len/4 characters.
		5
		6	Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
		7
		8	CVE: CVE-2025-32414
		9	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/d7657811964eac1cb9743bb98649278ad948f0d2]
		10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		11	---
		12	python/libxml.c \| 28 ++++++++++++++++++----------
		13	1 file changed, 18 insertions(+), 10 deletions(-)
		14
		15	diff --git a/python/libxml.c b/python/libxml.c
		16	index 1fe8d685..2bf14078 100644
		17	--- a/python/libxml.c
		18	+++ b/python/libxml.c
		19	@@ -248,7 +248,9 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
		20
		21	file = (PyObject *) context;
		22	if (file == NULL) return(-1);
		23	- ret = PyObject_CallMethod(file, (char ) "read", (char ) "(i)", len);
		24	+ /* When read() returns a string, the length is in characters not bytes, so
		25	+ request at most len / 4 characters to leave space for UTF-8 encoding. */
		26	+ ret = PyObject_CallMethod(file, (char ) "read", (char ) "(i)", len / 4);
		27	if (ret == NULL) {
		28	printf("xmlPythonFileReadRaw: result is NULL\n");
		29	return(-1);
		30	@@ -283,10 +285,12 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
		31	Py_DECREF(ret);
		32	return(-1);
		33	}
		34	- if (lenread > len)
		35	- memcpy(buffer, data, len);
		36	- else
		37	- memcpy(buffer, data, lenread);
		38	+ if (lenread < 0 \|\| lenread > len) {
		39	+ printf("xmlPythonFileReadRaw: invalid lenread\n");
		40	+ Py_DECREF(ret);
		41	+ return(-1);
		42	+ }
		43	+ memcpy(buffer, data, lenread);
		44	Py_DECREF(ret);
		45	return(lenread);
		46	}
		47	@@ -310,7 +314,9 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
		48
		49	file = (PyObject *) context;
		50	if (file == NULL) return(-1);
		51	- ret = PyObject_CallMethod(file, (char ) "io_read", (char ) "(i)", len);
		52	+ /* When io_read() returns a string, the length is in characters not bytes, so
		53	+ request at most len / 4 characters to leave space for UTF-8 encoding. */
		54	+ ret = PyObject_CallMethod(file, (char ) "io_read", (char ) "(i)", len / 4);
		55	if (ret == NULL) {
		56	printf("xmlPythonFileRead: result is NULL\n");
		57	return(-1);
		58	@@ -345,10 +351,12 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
		59	Py_DECREF(ret);
		60	return(-1);
		61	}
		62	- if (lenread > len)
		63	- memcpy(buffer, data, len);
		64	- else
		65	- memcpy(buffer, data, lenread);
		66	+ if (lenread < 0 \|\| lenread > len) {
		67	+ printf("xmlPythonFileRead: invalid lenread\n");
		68	+ Py_DECREF(ret);
		69	+ return(-1);
		70	+ }
		71	+ memcpy(buffer, data, lenread);
		72	Py_DECREF(ret);
		73	return(lenread);
		74	}


diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb index c4f76c281d..42672e35bd 100644 --- a/meta/recipes-core/libxml/libxml2_2.12.10.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -18,6 +18,7 @@ inherit gnomebase
18	SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \	18	SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testtar \
19	file://run-ptest \	19	file://run-ptest \
20	file://install-tests.patch \	20	file://install-tests.patch \
		21	file://CVE-2025-32414.patch \
21	"	22	"
22		23
23	SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"	24	SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"