Version in base suite: 2.9.14+dfsg-1.3~deb12u1 Base version: libxml2_2.9.14+dfsg-1.3~deb12u1 Target version: libxml2_2.9.14+dfsg-1.3~deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxml2/libxml2_2.9.14+dfsg-1.3~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxml2/libxml2_2.9.14+dfsg-1.3~deb12u2.dsc changelog | 26 ++++++ patches/CVE-2022-49043.patch | 31 ++++++++ patches/CVE-2023-39615_1.patch | 29 +++++++ patches/CVE-2023-39615_2.patch | 64 +++++++++++++++++ patches/CVE-2023-45322.patch | 49 +++++++++++++ patches/CVE-2024-25062.patch | 26 ++++++ patches/CVE-2024-34459.patch | 21 +++++ patches/CVE-2024-56171.patch | 36 +++++++++ patches/CVE-2025-24928-pre1.patch | 22 +++++ patches/CVE-2025-24928.patch | 51 +++++++++++++ patches/CVE-2025-27113.patch | 26 ++++++ patches/CVE-2025-32414-bug-889-v2.10.4-and-below.patch | 60 +++++++++++++++ patches/CVE-2025-32415.patch | 35 +++++++++ patches/series | 12 +++ 14 files changed, 488 insertions(+) diff -Nru libxml2-2.9.14+dfsg/debian/changelog libxml2-2.9.14+dfsg/debian/changelog --- libxml2-2.9.14+dfsg/debian/changelog 2023-07-10 19:58:07.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/changelog 2025-06-06 08:50:13.000000000 +0000 @@ -1,3 +1,29 @@ +libxml2 (2.9.14+dfsg-1.3~deb12u2) bookworm-security; urgency=high + + * Security fixes: + - CVE-2023-39615: out-of-bounds read via the xmlSAX2StartElement() + (Closes: #1051230) + - CVE-2023-45322: use-after-free in xmlUnlinkNode() + (Closes: #1053629) + - CVE-2024-25062: use-after-free in xmlValidatePopElement() + (Closes: #1063234) + - CVE-2025-32414: out-of-bounds read in Python bindings + (Closes: #1102521) + - CVE-2025-32415: heap-based buffer under-read via + xmlSchemaIDCFillNodeTables() (Closes: #1103511) + - CVE-2022-49043: use-after-free in xmlXIncludeAddNode() + (Closes: #1094238) + - CVE-2024-34459: buffer over-read in xmlHTMLPrintFileContext of xmllint + (Closes: #1071162) + - CVE-2024-56171: use-after-free after xmlSchemaItemListAdd() + (Closes: #1098320) + - CVE-2025-24928: stack-buffer-overflow in xmlSnprintfElements() + (Closes: #1098321) + - CVE-2025-27113: NULL pointer dereference in xmlPatMatch() + (Closes: #1098322) + + -- Aron Xu Fri, 06 Jun 2025 16:50:13 +0800 + libxml2 (2.9.14+dfsg-1.3~deb12u1) bookworm; urgency=medium * Rebuild for bookworm diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2022-49043.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2022-49043.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2022-49043.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2022-49043.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,31 @@ +Backport of: + +From 5a19e21605398cef6a8b1452477a8705cb41562b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 2 Nov 2022 16:13:27 +0100 +Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode + +Found with libFuzzer, see #344. +--- + xinclude.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/xinclude.c ++++ b/xinclude.c +@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ct + } + URL = xmlSaveUri(uri); + xmlFreeURI(uri); +- xmlFree(URI); + if (URL == NULL) { + xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI, + "invalid value URI %s\n", URI); + if (fragment != NULL) + xmlFree(fragment); ++ xmlFree(URI); + return(-1); + } ++ xmlFree(URI); + + if (xmlStrEqual(URL, ctxt->doc->URL)) + local = 1; diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_1.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_1.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_1.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,29 @@ +From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 6 May 2023 17:47:37 +0200 +Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks + +For some reason, xmlCtxtUseOptionsInternal set the start and end element +SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 +was specified. This means that custom SAX handlers could never work with +that flag because these functions would receive the wrong user data +argument and crash immediately. + +Fixes #535. +--- + parser.c | 2 -- + 1 file changed, 2 deletions(-) + +Index: libxml2-2.12.7+dfsg+really2.9.14/parser.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/parser.c ++++ libxml2-2.12.7+dfsg+really2.9.14/parser.c +@@ -15071,8 +15071,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtP + } + #ifdef LIBXML_SAX1_ENABLED + if (options & XML_PARSE_SAX1) { +- ctxt->sax->startElement = xmlSAX2StartElement; +- ctxt->sax->endElement = xmlSAX2EndElement; + ctxt->sax->startElementNs = NULL; + ctxt->sax->endElementNs = NULL; + ctxt->sax->initialized = 1; diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_2.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_2.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-39615_2.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,64 @@ +From 235b15a590eecf97b09e87bdb7e4f8333e9de129 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 8 May 2023 17:58:02 +0200 +Subject: [PATCH] SAX: Always initialize SAX1 element handlers + +Follow-up to commit d0c3f01e. A parser context will be initialized to +SAX version 2, but this can be overridden with XML_PARSE_SAX1 later, +so we must initialize the SAX1 element handlers as well. + +Change the check in xmlDetectSAX2 to only look for XML_SAX2_MAGIC, so +we don't switch to SAX1 if the SAX2 element handlers are NULL. +--- + SAX2.c | 11 +++++++---- + parser.c | 5 +---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +Index: libxml2-2.12.7+dfsg+really2.9.14/SAX2.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/SAX2.c ++++ libxml2-2.12.7+dfsg+really2.9.14/SAX2.c +@@ -2842,20 +2842,23 @@ xmlSAXVersion(xmlSAXHandler *hdlr, int v + { + if (hdlr == NULL) return(-1); + if (version == 2) { +- hdlr->startElement = NULL; +- hdlr->endElement = NULL; + hdlr->startElementNs = xmlSAX2StartElementNs; + hdlr->endElementNs = xmlSAX2EndElementNs; + hdlr->serror = NULL; + hdlr->initialized = XML_SAX2_MAGIC; + #ifdef LIBXML_SAX1_ENABLED + } else if (version == 1) { +- hdlr->startElement = xmlSAX2StartElement; +- hdlr->endElement = xmlSAX2EndElement; + hdlr->initialized = 1; + #endif /* LIBXML_SAX1_ENABLED */ + } else + return(-1); ++#ifdef LIBXML_SAX1_ENABLED ++ hdlr->startElement = xmlSAX2StartElement; ++ hdlr->endElement = xmlSAX2EndElement; ++#else ++ hdlr->startElement = NULL; ++ hdlr->endElement = NULL; ++#endif /* LIBXML_SAX1_ENABLED */ + hdlr->internalSubset = xmlSAX2InternalSubset; + hdlr->externalSubset = xmlSAX2ExternalSubset; + hdlr->isStandalone = xmlSAX2IsStandalone; +Index: libxml2-2.12.7+dfsg+really2.9.14/parser.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/parser.c ++++ libxml2-2.12.7+dfsg+really2.9.14/parser.c +@@ -1109,10 +1109,7 @@ xmlDetectSAX2(xmlParserCtxtPtr ctxt) { + if (ctxt == NULL) return; + sax = ctxt->sax; + #ifdef LIBXML_SAX1_ENABLED +- if ((sax) && (sax->initialized == XML_SAX2_MAGIC) && +- ((sax->startElementNs != NULL) || +- (sax->endElementNs != NULL) || +- ((sax->startElement == NULL) && (sax->endElement == NULL)))) ++ if ((sax) && (sax->initialized == XML_SAX2_MAGIC)) + ctxt->sax2 = 1; + #else + ctxt->sax2 = 1; diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2023-45322.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2023-45322.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2023-45322.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2023-45322.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,49 @@ +Reviewed-by: Aron Xu + +From 30d7660ba87c8487b26582ccc050f4d2880ccb3c Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 28 Nov 2023 13:27:25 +0100 +Subject: [PATCH] tree: Fix #583 again + +Only set doc->intSubset after successful copy to avoid dangling pointers +in error case. +--- + tree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: libxml2-2.12.7+dfsg+really2.9.14/tree.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/tree.c ++++ libxml2-2.12.7+dfsg+really2.9.14/tree.c +@@ -4370,6 +4370,7 @@ static xmlNodePtr + xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { + xmlNodePtr ret = NULL; + xmlNodePtr p = NULL,q; ++ xmlDtdPtr newSubset = NULL; + + while (node != NULL) { + #ifdef LIBXML_TREE_ENABLED +@@ -4378,12 +4379,12 @@ xmlStaticCopyNodeList(xmlNodePtr node, x + node = node->next; + continue; + } +- if (doc->intSubset == NULL) { ++ if ((doc->intSubset == NULL) && (newSubset == NULL)) { + q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); + if (q == NULL) return(NULL); + q->doc = doc; + q->parent = parent; +- doc->intSubset = (xmlDtdPtr) q; ++ newSubset = (xmlDtdPtr) q; + xmlAddChild(parent, q); + } else { + q = (xmlNodePtr) doc->intSubset; +@@ -4404,6 +4405,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, x + } + node = node->next; + } ++ if ((doc != NULL) && (newSubset != NULL)) ++ doc->intSubset = newSubset; + return(ret); + } + diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2024-25062.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2024-25062.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2024-25062.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2024-25062.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,26 @@ +From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 14 Oct 2023 22:45:54 +0200 +Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when + backtracking + +Fixes a use-after-free if XML Reader if used with DTD validation and +XInclude expansion. + +Fixes #604. +--- + xmlreader.c | 1 + + 1 file changed, 1 insertion(+) + +Index: libxml2-2.12.7+dfsg+really2.9.14/xmlreader.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/xmlreader.c ++++ libxml2-2.12.7+dfsg+really2.9.14/xmlreader.c +@@ -1586,6 +1586,7 @@ node_found: + * Handle XInclude if asked for + */ + if ((reader->xinclude) && (reader->in_xinclude == 0) && ++ (reader->state != XML_TEXTREADER_BACKTRACK) && + (reader->node != NULL) && + (reader->node->type == XML_ELEMENT_NODE) && + (reader->node->ns != NULL) && diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2024-34459.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2024-34459.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2024-34459.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2024-34459.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,21 @@ +From 8ddc7f13337c9fe7c6b6e616f404b0fffb8a5145 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 8 May 2024 11:49:31 +0200 +Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` + +Add a missing bounds check. +--- + xmllint.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/xmllint.c ++++ b/xmllint.c +@@ -602,7 +602,7 @@ xmlHTMLPrintFileContext(xmlParserInputPt + len = strlen(buffer); + snprintf(&buffer[len], sizeof(buffer) - len, "\n"); + cur = input->cur; +- while ((*cur == '\n') || (*cur == '\r')) ++ while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) + cur--; + n = 0; + while ((cur != base) && (n++ < 80)) { diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2024-56171.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2024-56171.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2024-56171.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2024-56171.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,36 @@ +From 5880a9a6bd97c0f9ac8fc4f30110fe023f484746 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 10 Dec 2024 16:52:05 +0100 +Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after + xmlSchemaItemListAdd + +xmlSchemaItemListAdd can reallocate the items array. Update local +variables after adding item in + +- xmlSchemaIDCFillNodeTables +- xmlSchemaBubbleIDCNodeTables + +Fixes #828. +--- + xmlschemas.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- libxml2-2.12.7+dfsg+really2.9.14.orig/xmlschemas.c ++++ libxml2-2.12.7+dfsg+really2.9.14/xmlschemas.c +@@ -23658,6 +23658,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaVali + } + if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1) + goto internal_error; ++ dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items; + /* + * Remove the duplicate entry from the IDC node-table. + */ +@@ -23874,6 +23875,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaVa + goto internal_error; + } + xmlSchemaItemListAdd(parBind->dupls, parNode); ++ dupls = (xmlSchemaPSVIIDCNodePtr *) ++ parBind->dupls->items; + } else { + /* + * Add the node-table entry (node and key-sequence) of diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928-pre1.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928-pre1.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928-pre1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928-pre1.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,22 @@ +From 577e2516d0ed3669c7e9879ba9f04214658bfd1b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 19 Mar 2024 17:06:07 +0100 +Subject: [PATCH] valid: Check for NULL node->name in xmlSnprintfElements + +Unfortunately, we can have NULL element names if xmlSetTreeDoc fails. +--- + valid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- libxml2-2.12.7+dfsg+really2.9.14.orig/valid.c ++++ libxml2-2.12.7+dfsg+really2.9.14/valid.c +@@ -5274,7 +5274,8 @@ xmlSnprintfElements(char *buf, int size, + strcat(buf, " ..."); + return; + } +- strcat(buf, (char *) cur->name); ++ if (cur->name != NULL) ++ strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-24928.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,51 @@ +From 8c8753ad5280ee13aee5eec9b0f6eee2ed920f57 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Feb 2025 17:30:40 +0100 +Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in + xmlSnprintfElements + +Fixes #847. +--- + valid.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- libxml2-2.12.7+dfsg+really2.9.14.orig/valid.c ++++ libxml2-2.12.7+dfsg+really2.9.14/valid.c +@@ -5259,26 +5259,26 @@ xmlSnprintfElements(char *buf, int size, + return; + } + switch (cur->type) { +- case XML_ELEMENT_NODE: ++ case XML_ELEMENT_NODE: { ++ int qnameLen = xmlStrlen(cur->name); ++ ++ if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) ++ qnameLen += xmlStrlen(cur->ns->prefix) + 1; ++ if (size - len < qnameLen + 10) { ++ if ((size - len > 4) && (buf[len - 1] != '.')) ++ strcat(buf, " ..."); ++ return; ++ } + if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { +- if (size - len < xmlStrlen(cur->ns->prefix) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + strcat(buf, (char *) cur->ns->prefix); + strcat(buf, ":"); + } +- if (size - len < xmlStrlen(cur->name) + 10) { +- if ((size - len > 4) && (buf[len - 1] != '.')) +- strcat(buf, " ..."); +- return; +- } + if (cur->name != NULL) + strcat(buf, (char *) cur->name); + if (cur->next != NULL) + strcat(buf, " "); + break; ++ } + case XML_TEXT_NODE: + if (xmlIsBlankNode(cur)) + break; diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-27113.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-27113.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-27113.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-27113.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,26 @@ +From 6c716d491dd2e67f08066f4dc0619efeb49e43e6 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 13 Feb 2025 16:48:53 +0100 +Subject: [PATCH] pattern: Fix compilation of explicit child axis + +The child axis is the default axis and should generate XML_OP_ELEM like +the case without an axis. +--- + pattern.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- libxml2-2.12.7+dfsg+really2.9.14.orig/pattern.c ++++ libxml2-2.12.7+dfsg+really2.9.14/pattern.c +@@ -1178,10 +1178,10 @@ xmlCompileStepPattern(xmlPatParserContex + goto error; + } + } else { +- PUSH(XML_OP_CHILD, token, URL); ++ PUSH(XML_OP_ELEM, token, URL); + } + } else +- PUSH(XML_OP_CHILD, name, NULL); ++ PUSH(XML_OP_ELEM, name, NULL); + return; + } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) { + XML_PAT_FREE_STRING(ctxt, name) diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32414-bug-889-v2.10.4-and-below.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32414-bug-889-v2.10.4-and-below.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32414-bug-889-v2.10.4-and-below.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32414-bug-889-v2.10.4-and-below.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,60 @@ +Index: libxml2-2.9.14+dfsg/python/libxml.c +=================================================================== +--- libxml2-2.9.14+dfsg.orig/python/libxml.c ++++ libxml2-2.9.14+dfsg/python/libxml.c +@@ -287,7 +287,9 @@ xmlPythonFileReadRaw (void * context, ch + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileReadRaw: result is NULL\n"); + return(-1); +@@ -322,10 +324,12 @@ xmlPythonFileReadRaw (void * context, ch + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileReadRaw: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } +@@ -352,7 +356,9 @@ xmlPythonFileRead (void * context, char + #endif + file = (PyObject *) context; + if (file == NULL) return(-1); +- ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len); ++ /* When read() returns a string, the length is in characters not bytes, so ++ request at most len / 4 characters to leave space for UTF-8 encoding. */ ++ ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4); + if (ret == NULL) { + printf("xmlPythonFileRead: result is NULL\n"); + return(-1); +@@ -387,10 +393,12 @@ xmlPythonFileRead (void * context, char + Py_DECREF(ret); + return(-1); + } +- if (lenread > len) +- memcpy(buffer, data, len); +- else +- memcpy(buffer, data, lenread); ++ if (lenread < 0 || lenread > len) { ++ printf("xmlPythonFileRead: invalid lenread\n"); ++ Py_DECREF(ret); ++ return(-1); ++ } ++ memcpy(buffer, data, lenread); + Py_DECREF(ret); + return(lenread); + } diff -Nru libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32415.patch libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32415.patch --- libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32415.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/CVE-2025-32415.patch 2025-06-06 08:49:57.000000000 +0000 @@ -0,0 +1,35 @@ +From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 6 Apr 2025 12:41:11 +0200 +Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in + xmlSchemaIDCFillNodeTables + +Don't use local variable which could contain a stale value. + +Fixes #890. +--- + xmlschemas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libxml2-2.12.7+dfsg+really2.9.14/xmlschemas.c +=================================================================== +--- libxml2-2.12.7+dfsg+really2.9.14.orig/xmlschemas.c ++++ libxml2-2.12.7+dfsg+really2.9.14/xmlschemas.c +@@ -23618,7 +23618,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaVali + j++; + } while (j < nbDupls); + } +- if (nbNodeTable) { ++ if (bind->nbNodes) { + j = 0; + do { + if (nbFields == 1) { +@@ -23669,7 +23669,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaVali + + next_node_table_entry: + j++; +- } while (j < nbNodeTable); ++ } while (j < bind->nbNodes); + } + /* + * If everything is fine, then add the IDC target-node to diff -Nru libxml2-2.9.14+dfsg/debian/patches/series libxml2-2.9.14+dfsg/debian/patches/series --- libxml2-2.9.14+dfsg/debian/patches/series 2023-07-10 19:58:07.000000000 +0000 +++ libxml2-2.9.14+dfsg/debian/patches/series 2025-06-06 08:49:57.000000000 +0000 @@ -8,3 +8,15 @@ CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch Reset-nsNr-in-xmlCtxtReset.patch Also-reset-nsNr-in-htmlCtxtReset.patch +CVE-2022-49043.patch +CVE-2024-34459.patch +CVE-2024-56171.patch +CVE-2025-24928-pre1.patch +CVE-2025-24928.patch +CVE-2025-27113.patch +CVE-2023-39615_1.patch +CVE-2023-39615_2.patch +CVE-2023-45322.patch +CVE-2024-25062.patch +CVE-2025-32414-bug-889-v2.10.4-and-below.patch +CVE-2025-32415.patch