Hi, Thank you Nick for reporting these in here!
The titles above say "buffer overflow", but information over the provided links suggests that both are actually out-of-bounds reads. Is this correct? On Thu, Apr 17, 2025 at 02:34:40PM +0200, Nick Wellnhofer wrote: > These issues are fixed in 2.14.2 and 2.13.8. Older branches won't receive > official updates. > > [CVE-2025-32414] Buffer overflow when parsing text streams with Python API > https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 > > The Python Package Index contains an outdated and unsanctioned upload based > on libxml2 2.9.5 which is vulnerable. I tried to inform the PyPI maintainers > but I'm not sure my message made it through. "we return `lenread` even if it was larger than `len`! This is probably what causes callers to read past the end of the buffer, triggering memory errors reported by Valgrind" > [CVE-2025-32415] Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables > https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 "This issue occurs when processing crafted xml files, leading to an out-of-bounds read and potential application crash. The reason is that the xmlSchemaIDCFillNodeTables function uses the -1 operation when removing duplicate entry from the IDC node-table, but does not check the value of bind -> nbNodes. When bind -> nbNodes becomes 0, it will cause the bind -> nodeTable array to be read out of bounds." Alexander
