Re: Multiple vulnerabilities in libxml2

[Nick Wellnhofer <wellnhofer () aevum de>]

On Apr 17, 2025, at 19:58, Solar Designer <solar () openwall com> wrote:
> The titles above say "buffer overflow", but information over the
> provided links suggests that both are actually out-of-bounds reads.
> Is this correct?
>
> On Thu, Apr 17, 2025 at 02:34:40PM +0200, Nick Wellnhofer wrote:
> > These issues are fixed in 2.14.2 and 2.13.8. Older branches won't receive official updates.
> >
> > [CVE-2025-32414] Buffer overflow when parsing text streams with Python API
> > https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
> >
> > The Python Package Index contains an outdated and unsanctioned upload based on libxml2 2.9.5 which is vulnerable. I 
> > tried to inform the PyPI maintainers but I'm not sure my message made it through.
>
> "we return `lenread` even if it was larger than `len`! This is probably
> what causes callers to read past the end of the buffer, triggering
> memory errors reported by Valgrind"

I haven't looked at the details, but I assume that out-of-bounds writes are possible as well.

> [CVE-2025-32415] Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables
> > https://gitlab.gnome.org/GNOME/libxml2/-/issues/890
>
> "This issue occurs when processing crafted xml files, leading to an
> out-of-bounds read and potential application crash.
> The reason is that the xmlSchemaIDCFillNodeTables function uses the -1
> operation when removing duplicate entry from the IDC node-table, but
> does not check the value of bind -> nbNodes. When bind -> nbNodes
> becomes 0, it will cause the bind -> nodeTable array to be read out of
> bounds."

Right, it's probably just an OOB read. The title was copied from the original report.

Nick