!291 fix CVE-2025-32414

From: @fundawang 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-CVE-2024-56171.patch

@@ -0,0 +1,41 @@
+From 245b70d7d2768572ae1b05b3668ca858b9ec4ed4 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 10 Dec 2024 16:52:05 +0100
+Subject: [PATCH] [CVE-2024-56171] Fix use-after-free after
+ xmlSchemaItemListAdd
+
+xmlSchemaItemListAdd can reallocate the items array. Update local
+variables after adding item in
+
+- xmlSchemaIDCFillNodeTables
+- xmlSchemaBubbleIDCNodeTables
+
+Fixes #828.
+---
+ xmlschemas.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index d276faf10..28b14bd44 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23388,6 +23388,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ 			}
+ 			if (xmlSchemaItemListAdd(bind->dupls, bind->nodeTable[j]) == -1)
+ 			    goto internal_error;
++                        dupls = (xmlSchemaPSVIIDCNodePtr *) bind->dupls->items;
+ 			/*
+ 			* Remove the duplicate entry from the IDC node-table.
+ 			*/
+@@ -23604,6 +23605,8 @@ xmlSchemaBubbleIDCNodeTables(xmlSchemaValidCtxtPtr vctxt)
+ 				goto internal_error;
+ 			}
+ 			xmlSchemaItemListAdd(parBind->dupls, parNode);
++		        dupls = (xmlSchemaPSVIIDCNodePtr *)
++                            parBind->dupls->items;
+ 		    } else {
+ 			/*
+ 			* Add the node-table entry (node and key-sequence) of
+-- 
+GitLab
+

backport-CVE-2025-24928.patch

@@ -0,0 +1,55 @@
+From 858ca26c0689161a6b903a6682cc8a1cc10a0ea8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 11 Feb 2025 17:30:40 +0100
+Subject: [PATCH] [CVE-2025-24928] Fix stack-buffer-overflow in
+ xmlSnprintfElements
+
+Fixes #847.
+---
+ valid.c | 25 +++++++++++++------------
+ 1 file changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/valid.c b/valid.c
+index 76d657d62..abefdc50a 100644
+--- a/valid.c
++++ b/valid.c
+@@ -5268,26 +5268,26 @@
+ 	    return;
+ 	}
+         switch (cur->type) {
+-            case XML_ELEMENT_NODE:
++            case XML_ELEMENT_NODE: {
++                int qnameLen = xmlStrlen(cur->name);
++
++                if ((cur->ns != NULL) && (cur->ns->prefix != NULL))
++                    qnameLen += xmlStrlen(cur->ns->prefix) + 1;
++                if (size - len < qnameLen + 10) {
++                    if ((size - len > 4) && (buf[len - 1] != '.'))
++                        strcat(buf, " ...");
++                    return;
++                }
+ 		if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) {
+-		    if (size - len < xmlStrlen(cur->ns->prefix) + 10) {
+-			if ((size - len > 4) && (buf[len - 1] != '.'))
+-			    strcat(buf, " ...");
+-			return;
+-		    }
+ 		    strcat(buf, (char *) cur->ns->prefix);
+ 		    strcat(buf, ":");
+ 		}
+-                if (size - len < xmlStrlen(cur->name) + 10) {
+-		    if ((size - len > 4) && (buf[len - 1] != '.'))
+-			strcat(buf, " ...");
+-		    return;
+-		}
+                 if (cur->name != NULL)
+ 	            strcat(buf, (char *) cur->name);
+ 		if (cur->next != NULL)
+ 		    strcat(buf, " ");
+ 		break;
++                }
+             case XML_TEXT_NODE:
+ 		if (xmlIsBlankNode(cur))
+ 		    break;
+--
+GitLab

backport-CVE-2025-27113.patch

@@ -0,0 +1,31 @@
+From 503f788e84f1c1f1d769c2c7258d77faee94b5a3 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 13 Feb 2025 16:48:53 +0100
+Subject: [PATCH] pattern: Fix compilation of explicit child axis
+
+The child axis is the default axis and should generate XML_OP_ELEM like
+the case without an axis.
+---
+ pattern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/pattern.c b/pattern.c
+index 55ae2d3e5..b0f7f1601 100644
+--- a/pattern.c
++++ b/pattern.c
+@@ -1164,10 +1164,10 @@ xmlCompileStepPattern(xmlPatParserContextPtr ctxt) {
+ 			    goto error;
+ 			}
+ 		    } else {
+-			PUSH(XML_OP_CHILD, token, URL);
++			PUSH(XML_OP_ELEM, token, URL);
+ 		    }
+ 		} else
+-		    PUSH(XML_OP_CHILD, name, NULL);
++		    PUSH(XML_OP_ELEM, name, NULL);
+ 		return;
+ 	    } else if (xmlStrEqual(name, (const xmlChar *) "attribute")) {
+ 		XML_PAT_FREE_STRING(ctxt, name)
+-- 
+GitLab
+

backport-CVE-2025-32414.patch

@@ -0,0 +1,66 @@
+From: Maks Verver <maks@verver.ch>
+Date: Tue, 8 Apr 2025 13:13:55 +0200
+Subject: [PATCH 2/2] [CVE-2025-32414] python: Read at most len/4 characters.
+
+Fixes #889 by reserving space in the buffer for UTF-8 encoding of text.
+
+Index: libxml2-2.9.10+dfsg/python/libxml.c
+===================================================================
+--- libxml2-2.9.10+dfsg.orig/python/libxml.c	2025-04-28 12:34:16.797639445 +0200
++++ libxml2-2.9.10+dfsg/python/libxml.c	2025-04-28 12:34:16.793639446 +0200
+@@ -286,7 +286,9 @@
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len);
++    /* When read() returns a string, the length is in characters not bytes, so
++       request at most len / 4 characters to leave space for UTF-8 encoding. */
++    ret = PyEval_CallMethod(file, (char *) "read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+ 	printf("xmlPythonFileReadRaw: result is NULL\n");
+ 	return(-1);
+@@ -321,10 +323,12 @@
+ 	Py_DECREF(ret);
+ 	return(-1);
+     }
+-    if (lenread > len)
+-	memcpy(buffer, data, len);
+-    else
+-	memcpy(buffer, data, lenread);
++    if (lenread < 0 || lenread > len) {
++	printf("xmlPythonFileReadRaw: invalid lenread\n");
++	Py_DECREF(ret);
++	return(-1);
++    }
++    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }
+@@ -351,7 +355,9 @@
+ #endif
+     file = (PyObject *) context;
+     if (file == NULL) return(-1);
+-    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len);
++    /* When read() returns a string, the length is in characters not bytes, so
++       request at most len / 4 characters to leave space for UTF-8 encoding. */
++    ret = PyEval_CallMethod(file, (char *) "io_read", (char *) "(i)", len / 4);
+     if (ret == NULL) {
+ 	printf("xmlPythonFileRead: result is NULL\n");
+ 	return(-1);
+@@ -386,10 +392,12 @@
+ 	Py_DECREF(ret);
+ 	return(-1);
+     }
+-    if (lenread > len)
+-	memcpy(buffer, data, len);
+-    else
+-	memcpy(buffer, data, lenread);
++    if (lenread < 0 || lenread > len) {
++	printf("xmlPythonFileRead: invalid lenread\n");
++	Py_DECREF(ret);
++	return(-1);
++    }
++    memcpy(buffer, data, lenread);
+     Py_DECREF(ret);
+     return(lenread);
+ }

backport-CVE-2025-32415.patch

@@ -0,0 +1,38 @@
+From 384cc7c182fc00c6d5e2ab4b5e3671b2e3f93c84 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 6 Apr 2025 12:41:11 +0200
+Subject: [PATCH] [CVE-2025-32415] schemas: Fix heap buffer overflow in
+ xmlSchemaIDCFillNodeTables
+
+Don't use local variable which could contain a stale value.
+
+Fixes #890.
+---
+ xmlschemas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlschemas.c b/xmlschemas.c
+index e35c117ef..4bdabd129 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -23324,7 +23324,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ 			j++;
+ 		    } while (j < nbDupls);
+ 		}
+-		if (nbNodeTable) {
++		if (bind->nbNodes) {
+ 		    j = 0;
+ 		    do {
+ 			if (nbFields == 1) {
+@@ -23375,7 +23375,7 @@ xmlSchemaIDCFillNodeTables(xmlSchemaValidCtxtPtr vctxt,
+ 
+ next_node_table_entry:
+ 			j++;
+-		    } while (j < nbNodeTable);
++		    } while (j < bind->nbNodes);
+ 		}
+ 		/*
+ 		* If everything is fine, then add the IDC target-node to
+-- 
+GitLab
+

backport-xpath-Fix-build-without-LIBXML_XPATH_ENABLED.patch

@@ -0,0 +1,219 @@
+From 01723fc68f8be8ee9b986f3266c81013f8f66d03 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 8 May 2023 23:12:33 +0200
+Subject: [PATCH] xpath: Fix build without LIBXML_XPATH_ENABLED
+
+Move static function declaration into XPATH block. Also move comparison
+functions.
+
+Fixes #537.
+
+---
+ xpath.c | 184 ++++++++++++++++++++++++++++----------------------------
+ 1 file changed, 92 insertions(+), 92 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index a832722..cbdff93 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -153,6 +153,98 @@
+  * any use of the macros IS_ASCII_CHARACTER and IS_ASCII_DIGIT)
+  */
+ 
++#if defined(LIBXML_XPATH_ENABLED) || defined(LIBXML_SCHEMAS_ENABLED)
++
++/************************************************************************
++ *									*
++ *			Floating point stuff				*
++ *									*
++ ************************************************************************/
++
++double xmlXPathNAN = 0.0;
++double xmlXPathPINF = 0.0;
++double xmlXPathNINF = 0.0;
++
++/**
++ * xmlXPathInit:
++ *
++ * Initialize the XPath environment
++ */
++ATTRIBUTE_NO_SANITIZE("float-divide-by-zero")
++void
++xmlXPathInit(void) {
++    /* MSVC doesn't allow division by zero in constant expressions. */
++    double zero = 0.0;
++    xmlXPathNAN = 0.0 / zero;
++    xmlXPathPINF = 1.0 / zero;
++    xmlXPathNINF = -xmlXPathPINF;
++}
++
++/**
++ * xmlXPathIsNaN:
++ * @val:  a double value
++ *
++ * Returns 1 if the value is a NaN, 0 otherwise
++ */
++int
++xmlXPathIsNaN(double val) {
++#ifdef isnan
++    return isnan(val);
++#else
++    return !(val == val);
++#endif
++}
++
++/**
++ * xmlXPathIsInf:
++ * @val:  a double value
++ *
++ * Returns 1 if the value is +Infinite, -1 if -Infinite, 0 otherwise
++ */
++int
++xmlXPathIsInf(double val) {
++#ifdef isinf
++    return isinf(val) ? (val > 0 ? 1 : -1) : 0;
++#else
++    if (val >= xmlXPathPINF)
++        return 1;
++    if (val <= -xmlXPathPINF)
++        return -1;
++    return 0;
++#endif
++}
++
++#endif /* SCHEMAS or XPATH */
++
++#ifdef LIBXML_XPATH_ENABLED
++
++/*
++ * TODO: when compatibility allows remove all "fake node libxslt" strings
++ *       the test should just be name[0] = ' '
++ */
++#ifdef DEBUG_XPATH_EXPRESSION
++#define DEBUG_STEP
++#define DEBUG_EXPR
++#define DEBUG_EVAL_COUNTS
++#endif
++
++static xmlNs xmlXPathXMLNamespaceStruct = {
++    NULL,
++    XML_NAMESPACE_DECL,
++    XML_XML_NAMESPACE,
++    BAD_CAST "xml",
++    NULL,
++    NULL
++};
++static xmlNsPtr xmlXPathXMLNamespace = &xmlXPathXMLNamespaceStruct;
++#ifndef LIBXML_THREAD_ENABLED
++/*
++ * Optimizer is disabled only when threaded apps are detected while
++ * the library ain't compiled for thread safety.
++ */
++static int xmlXPathDisableOptimizer = 0;
++#endif
++
+ static void
+ xmlXPathNodeSetClear(xmlNodeSetPtr set, int hasNsNodes);
+ 
+@@ -483,98 +575,6 @@ int wrap_cmp( xmlNodePtr x, xmlNodePtr y );
+ #include "timsort.h"
+ #endif /* WITH_TIM_SORT */
+ 
+-#if defined(LIBXML_XPATH_ENABLED) || defined(LIBXML_SCHEMAS_ENABLED)
+-
+-/************************************************************************
+- *									*
+- *			Floating point stuff				*
+- *									*
+- ************************************************************************/
+-
+-double xmlXPathNAN = 0.0;
+-double xmlXPathPINF = 0.0;
+-double xmlXPathNINF = 0.0;
+-
+-/**
+- * xmlXPathInit:
+- *
+- * Initialize the XPath environment
+- */
+-ATTRIBUTE_NO_SANITIZE("float-divide-by-zero")
+-void
+-xmlXPathInit(void) {
+-    /* MSVC doesn't allow division by zero in constant expressions. */
+-    double zero = 0.0;
+-    xmlXPathNAN = 0.0 / zero;
+-    xmlXPathPINF = 1.0 / zero;
+-    xmlXPathNINF = -xmlXPathPINF;
+-}
+-
+-/**
+- * xmlXPathIsNaN:
+- * @val:  a double value
+- *
+- * Returns 1 if the value is a NaN, 0 otherwise
+- */
+-int
+-xmlXPathIsNaN(double val) {
+-#ifdef isnan
+-    return isnan(val);
+-#else
+-    return !(val == val);
+-#endif
+-}
+-
+-/**
+- * xmlXPathIsInf:
+- * @val:  a double value
+- *
+- * Returns 1 if the value is +Infinite, -1 if -Infinite, 0 otherwise
+- */
+-int
+-xmlXPathIsInf(double val) {
+-#ifdef isinf
+-    return isinf(val) ? (val > 0 ? 1 : -1) : 0;
+-#else
+-    if (val >= xmlXPathPINF)
+-        return 1;
+-    if (val <= -xmlXPathPINF)
+-        return -1;
+-    return 0;
+-#endif
+-}
+-
+-#endif /* SCHEMAS or XPATH */
+-
+-#ifdef LIBXML_XPATH_ENABLED
+-
+-/*
+- * TODO: when compatibility allows remove all "fake node libxslt" strings
+- *       the test should just be name[0] = ' '
+- */
+-#ifdef DEBUG_XPATH_EXPRESSION
+-#define DEBUG_STEP
+-#define DEBUG_EXPR
+-#define DEBUG_EVAL_COUNTS
+-#endif
+-
+-static xmlNs xmlXPathXMLNamespaceStruct = {
+-    NULL,
+-    XML_NAMESPACE_DECL,
+-    XML_XML_NAMESPACE,
+-    BAD_CAST "xml",
+-    NULL,
+-    NULL
+-};
+-static xmlNsPtr xmlXPathXMLNamespace = &xmlXPathXMLNamespaceStruct;
+-#ifndef LIBXML_THREAD_ENABLED
+-/*
+- * Optimizer is disabled only when threaded apps are detected while
+- * the library ain't compiled for thread safety.
+- */
+-static int xmlXPathDisableOptimizer = 0;
+-#endif
+-
+ /************************************************************************
+  *									*
+  *			Error handling routines				*
+-- 
+2.33.0
+

libxml2.spec

@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.9.14
-Release: 12
+Release: 17
 License: MIT
 Group: Development/Libraries
 Source: https://download.gnome.org/sources/%{name}/2.9/%{name}-%{version}.tar.xz
@@ -223,6 +223,12 @@ Patch6198:	backport-entities-Don-t-allow-null-name-in-xmlNewEntity.patch
 Patch6199:	backport-save-Check-for-NULL-node-name-in-xhtmlIsEmpty.patch
 Patch6200:	backport-valid-Check-for-NULL-node-name-in-xmlSnprintfElement.patch
 Patch6201:	backport-CVE-2024-34459.patch
+Patch6202:	backport-xpath-Fix-build-without-LIBXML_XPATH_ENABLED.patch
+Patch6203:      backport-CVE-2024-56171.patch
+Patch6204:      backport-CVE-2025-24928.patch
+Patch6205:      backport-CVE-2025-27113.patch
+Patch6206:      backport-CVE-2025-32415.patch
+Patch6207:      backport-CVE-2025-32414.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python3-devel
@@ -329,7 +335,7 @@ rm -fr %{buildroot}
 %files
 %defattr(-, root, root)
 
-%doc %{_datadir}/doc/libxml2
+%doc NEWS README.md Copyright TODO
 
 %{_libdir}/lib*.so.*
 %{_bindir}/xmllint
@@ -342,6 +348,8 @@ rm -fr %{buildroot}
 %doc doc/*.html doc/html doc/*.gif doc/*.png
 %doc doc/tutorial doc/libxml2-api.xml.gz
 %doc doc/examples
+%doc %{_datadir}/doc/libxml2/examples
+%doc %{_datadir}/doc/libxml2/html
 %doc %dir %{_datadir}/gtk-doc/html/libxml2
 %doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp2
 %doc %{_datadir}/gtk-doc/html/libxml2/*.html
@@ -378,6 +386,38 @@ rm -fr %{buildroot}
 
 
 %changelog
+* Wed May 14 2025 Funda Wang <fundawang@yeah.net> - 2.9.14-17
+- Type:CVE
+- CVE:CVE-2025-32414
+- SUG:NA
+- DESC: fix CVE-2025-32414
+
+* Fri Apr 18 2025 Funda Wang <fundawang@yeah.net> - 2.9.14-16
+- Type:CVE
+- CVE:CVE-2025-32415
+- SUG:NA
+- DESC: fix CVE-2025-32415
+
+* Mon Feb 24 2025 Funda Wang <fundawang@yeah.net> - 2.9.14-15
+- Type:CVE
+- CVE:CVE-2024-56171
+- CVE:CVE-2025-24928
+- CVE:CVE-2025-27113
+- SUG:NA
+- DESC: fix CVE-2024-56171, CVE-2025-24928, CVE-2025-27113
+
+* Wed Jun 26 2024 zhuofeng <zhuofeng2@huawei.com> - 2.9.14-14
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:remove doc from libxml2 to libxml2-devel
+
+* Sat May 18 2024 zhuofeng <zhuofeng2@huawei.com> - 2.9.14-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport upstream patches
+
 * Thu May 16 2024 cenhuilin <cenhuilin@kylinos.cn> - 2.9.14-12
 - Type:CVE
 - CVE:CVE-2024-34459