953961 – (CVE-2025-32414, CVE-2025-32415) dev-libs/libxml2: uninitialized memory read, heap overflow

Bug 953961 (CVE-2025-32414, CVE-2025-32415) - dev-libs/libxml2: uninitialized memory read, heap overflow

Summary: dev-libs/libxml2: uninitialized memory read, heap overflow

Status:	CONFIRMED

Alias:	CVE-2025-32414, CVE-2025-32415

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://gitlab.gnome.org/GNOME/libxml...
Whiteboard:	B2 [ebuild]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2025-04-17 16:44 UTC by Hank Leininger
Modified:	2025-04-18 20:20 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/41654
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2025-04-17 16:44:46 UTC

Issue is with the python bindings so I would guess USE=-python is unaffected. We IUSE=+python so it's on by default.

Fixed in upstream 2.13.8 and 2.14.2, and they've said older branches won't get updates (we have 2.11.x and 2.12.x as well as 2.13.x).

Note also, upstream has said they plan to deprecate the python bindings: https://gitlab.gnome.org/GNOME/libxml2/-/issues/891

It seems we don't have many packages that depend on dev-libs/libxml2[python]: gimp-help, virt-manager, recoll, itstool - the latter of which has a WIP PR to migrate from libxml2 to lxml.

Comment 1 Hank Leininger 2025-04-18 20:02:24 UTC

Per upstream announcement https://discourse.gnome.org/t/libxml2-2-13-8-released/28428 , also fixes a heap overflow (that has some prereqs to exploit), CVE-2025-32415: https://gitlab.gnome.org/GNOME/libxml2/-/issues/890