On Apr 17, 2025, at 19:58, Solar Designer <so...@openwall.com> wrote: > > The titles above say "buffer overflow", but information over the > provided links suggests that both are actually out-of-bounds reads. > Is this correct? > > On Thu, Apr 17, 2025 at 02:34:40PM +0200, Nick Wellnhofer wrote: >> These issues are fixed in 2.14.2 and 2.13.8. Older branches won't receive >> official updates. >> >> [CVE-2025-32414] Buffer overflow when parsing text streams with Python API >> https://gitlab.gnome.org/GNOME/libxml2/-/issues/889 >> >> The Python Package Index contains an outdated and unsanctioned upload based >> on libxml2 2.9.5 which is vulnerable. I tried to inform the PyPI maintainers >> but I'm not sure my message made it through. > > "we return `lenread` even if it was larger than `len`! This is probably > what causes callers to read past the end of the buffer, triggering > memory errors reported by Valgrind"
I haven't looked at the details, but I assume that out-of-bounds writes are possible as well. > [CVE-2025-32415] Heap-based Buffer Overflow in xmlSchemaIDCFillNodeTables >> https://gitlab.gnome.org/GNOME/libxml2/-/issues/890 > > "This issue occurs when processing crafted xml files, leading to an > out-of-bounds read and potential application crash. > The reason is that the xmlSchemaIDCFillNodeTables function uses the -1 > operation when removing duplicate entry from the IDC node-table, but > does not check the value of bind -> nbNodes. When bind -> nbNodes > becomes 0, it will cause the bind -> nodeTable array to be read out of > bounds." Right, it's probably just an OOB read. The title was copied from the original report. Nick
