[AUTO-CHERRYPICK] Patch libxslt for CVE-2024-55549 and CVE-2025-24855 [High] - branch main (#13035)

Co-authored-by: sindhu-karri <[email protected]>

Author: CBL-Mariner-Bot

SPECS/libxslt/CVE-2024-55549.patch

@@ -0,0 +1,47 @@
+From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+Source: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515
+Issue: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 7a1ce01..d0e6066 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++        return(-1);
++
+     if (style->exclPrefixMax == 0) {
+         style->exclPrefixMax = 4;
+         style->exclPrefixTab =
+-- 
+2.33.8
+

SPECS/libxslt/CVE-2025-24855.patch

@@ -0,0 +1,132 @@
+Source: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2
+Issue: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 92023f8..58c61b9 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -708,9 +708,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
++    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
++        oldNode = context->node;
++
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -723,6 +726,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
++
++        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index 48b73a5..a1a6cc8 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
++    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
++    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
++    ctxt->xpathCtxt->node = oldNode;
++    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 94097b9..cfe55ce 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1002,8 +1002,8 @@ xsltComputeSortResult(xsltTransformContextPtr ctxt, xmlNodePtr sort) {
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1065,8 +1065,8 @@ xsltComputeSortResult(xsltTransformContextPtr ctxt, xmlNodePtr sort) {
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+2.33.8
+

SPECS/libxslt/libxslt.spec

@@ -1,7 +1,7 @@
 Summary:        Libxslt is the XSLT C library developed for the GNOME project. XSLT is a an XML language to define transformation for XML.
 Name:           libxslt
 Version:        1.1.34
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,8 @@ Source0:        http://xmlsoft.org/sources/%{name}-%{version}.tar.gz
 Patch0:         CVE-2021-30560.patch
 # CVE-2022-29824 is fixed by shared object from libxml2 version 2.9.14
 Patch1:         CVE-2022-29824.nopatch
+Patch2:         CVE-2024-55549.patch
+Patch3:         CVE-2025-24855.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 Requires:       libgcrypt
@@ -74,6 +76,9 @@ make %{?_smp_mflags} check
 %{_mandir}/man3/*
 
 %changelog
+* Mon Mar 17 2025 Sindhu Karri <[email protected]> - 1.1.34-8
+- Fix CVE-2025-24855 and CVE-2024-55549
+
 * Tue May 24 2022 Cameron Baird <[email protected]> - 1.1.34-7
 - Applying patch for CVE-2021-30560.
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -218,7 +218,7 @@ libgpg-error-1.46-1.cm2.aarch64.rpm
 libgcrypt-1.10.3-1.cm2.aarch64.rpm
 libksba-1.6.3-1.cm2.aarch64.rpm
 libksba-devel-1.6.3-1.cm2.aarch64.rpm
-libxslt-1.1.34-7.cm2.aarch64.rpm
+libxslt-1.1.34-8.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm
 pinentry-1.2.0-1.cm2.aarch64.rpm
 gnupg2-2.4.0-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -218,7 +218,7 @@ libgpg-error-1.46-1.cm2.x86_64.rpm
 libgcrypt-1.10.3-1.cm2.x86_64.rpm
 libksba-1.6.3-1.cm2.x86_64.rpm
 libksba-devel-1.6.3-1.cm2.x86_64.rpm
-libxslt-1.1.34-7.cm2.x86_64.rpm
+libxslt-1.1.34-8.cm2.x86_64.rpm
 npth-1.6-4.cm2.x86_64.rpm
 pinentry-1.2.0-1.cm2.x86_64.rpm
 gnupg2-2.4.0-2.cm2.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -212,9 +212,9 @@ libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
 libxml2-2.10.4-6.cm2.aarch64.rpm
 libxml2-debuginfo-2.10.4-6.cm2.aarch64.rpm
 libxml2-devel-2.10.4-6.cm2.aarch64.rpm
-libxslt-1.1.34-7.cm2.aarch64.rpm
-libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
-libxslt-devel-1.1.34-7.cm2.aarch64.rpm
+libxslt-1.1.34-8.cm2.aarch64.rpm
+libxslt-debuginfo-1.1.34-8.cm2.aarch64.rpm
+libxslt-devel-1.1.34-8.cm2.aarch64.rpm
 lua-5.4.4-1.cm2.aarch64.rpm
 lua-debuginfo-5.4.4-1.cm2.aarch64.rpm
 lua-devel-5.4.4-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -218,9 +218,9 @@ libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
 libxml2-2.10.4-6.cm2.x86_64.rpm
 libxml2-debuginfo-2.10.4-6.cm2.x86_64.rpm
 libxml2-devel-2.10.4-6.cm2.x86_64.rpm
-libxslt-1.1.34-7.cm2.x86_64.rpm
-libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
-libxslt-devel-1.1.34-7.cm2.x86_64.rpm
+libxslt-1.1.34-8.cm2.x86_64.rpm
+libxslt-debuginfo-1.1.34-8.cm2.x86_64.rpm
+libxslt-devel-1.1.34-8.cm2.x86_64.rpm
 lua-5.4.4-1.cm2.x86_64.rpm
 lua-debuginfo-5.4.4-1.cm2.x86_64.rpm
 lua-devel-5.4.4-1.cm2.x86_64.rpm