ALP-pool/libxslt
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 libxslt revision 05889c03288fd56e3e3ed36da204e778

Browse Source
This commit is contained in:
Adrian Schröter
2025-04-22 15:57:17 +02:00
parent b89ab0622e
commit e05debfe9b
4 changed files with 189 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
libxslt-CVE-2024-55549.patch Normal file
View File

@@ -0,0 +1,42 @@
From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.
Thanks to Ivan Fratric for the report!
Fixes #127.
---
libxslt/xslt.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
Index: libxslt-1.1.38/libxslt/xslt.c
===================================================================
--- libxslt-1.1.38.orig/libxslt/xslt.c
+++ libxslt-1.1.38/libxslt/xslt.c
@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr
* in case of error
*/
static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
{
+ xmlChar *value;
int i;
+ /*
+ * orig can come from a namespace definition on a node which
+ * could be deleted later, for example in xsltParseTemplateContent.
+ * Store the string in stylesheet's dict to avoid use after free.
+ */
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+ if (value == NULL)
+ return(-1);
+
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))

130
libxslt-CVE-2025-24855.patch Normal file
View File

@@ -0,0 +1,130 @@
From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Tue, 17 Dec 2024 15:56:21 +0100
Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
There are several places where the XPath context node isn't restored
after modifying it, leading to use-after-free errors with nested XPath
evaluations and dynamically allocated context nodes.
Restore XPath context node in
- xsltNumberFormatGetValue
- xsltEvalXPathPredicate
- xsltEvalXPathStringNs
- xsltComputeSortResultInternal
In some places, the transformation context node was saved and restored
which shouldn't be necessary.
Thanks to Ivan Fratric for the report!
Fixes #128.
---
libxslt/numbers.c | 5 +++++
libxslt/templates.c | 9 ++++++---
libxslt/xsltutils.c | 4 ++--
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/libxslt/numbers.c b/libxslt/numbers.c
index 0e1fa136..741124d1 100644
--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
int amount = 0;
xmlBufferPtr pattern;
xmlXPathObjectPtr obj;
+ xmlNodePtr oldNode;
pattern = xmlBufferCreate();
if (pattern != NULL) {
+ oldNode = context->node;
+
xmlBufferCCat(pattern, "number(");
xmlBufferCat(pattern, value);
xmlBufferCCat(pattern, ")");
@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
xmlXPathFreeObject(obj);
}
xmlBufferFree(pattern);
+
+ context->node = oldNode;
}
return amount;
}
diff --git a/libxslt/templates.c b/libxslt/templates.c
index f08b9bda..1c8d96e2 100644
--- a/libxslt/templates.c
+++ b/libxslt/templates.c
@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
int oldNsNr;
xmlNsPtr *oldNamespaces;
xmlNodePtr oldInst;
+ xmlNodePtr oldNode;
int oldProximityPosition, oldContextSize;
if ((ctxt == NULL) || (ctxt->inst == NULL)) {
@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
return(0);
}
+ oldNode = ctxt->xpathCtxt->node;
oldContextSize = ctxt->xpathCtxt->contextSize;
oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
oldNsNr = ctxt->xpathCtxt->nsNr;
@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
ctxt->state = XSLT_STATE_STOPPED;
ret = 0;
}
- ctxt->xpathCtxt->nsNr = oldNsNr;
+ ctxt->xpathCtxt->node = oldNode;
+ ctxt->xpathCtxt->nsNr = oldNsNr;
ctxt->xpathCtxt->namespaces = oldNamespaces;
ctxt->inst = oldInst;
ctxt->xpathCtxt->contextSize = oldContextSize;
@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
}
oldInst = ctxt->inst;
- oldNode = ctxt->node;
+ oldNode = ctxt->xpathCtxt->node;
oldPos = ctxt->xpathCtxt->proximityPosition;
oldSize = ctxt->xpathCtxt->contextSize;
oldNsNr = ctxt->xpathCtxt->nsNr;
@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
"xsltEvalXPathString: returns %s\n", ret));
#endif
ctxt->inst = oldInst;
- ctxt->node = oldNode;
+ ctxt->xpathCtxt->node = oldNode;
ctxt->xpathCtxt->contextSize = oldSize;
ctxt->xpathCtxt->proximityPosition = oldPos;
ctxt->xpathCtxt->nsNr = oldNsNr;
diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
index 0e9dc62f..a20da961 100644
--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
return(NULL);
}
- oldNode = ctxt->node;
oldInst = ctxt->inst;
+ oldNode = ctxt->xpathCtxt->node;
oldPos = ctxt->xpathCtxt->proximityPosition;
oldSize = ctxt->xpathCtxt->contextSize;
oldNsNr = ctxt->xpathCtxt->nsNr;
@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
results[i] = NULL;
}
}
- ctxt->node = oldNode;
ctxt->inst = oldInst;
+ ctxt->xpathCtxt->node = oldNode;
ctxt->xpathCtxt->contextSize = oldSize;
ctxt->xpathCtxt->proximityPosition = oldPos;
ctxt->xpathCtxt->nsNr = oldNsNr;
--
GitLab

13
libxslt.changes
View File

@@ -1,3 +1,16 @@
-------------------------------------------------------------------
Wed Mar 19 13:45:27 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
- Security fixes:
* Fix use-after-free of XPath context node [bsc#1239625, CVE-2025-24855]
* Fix UAF related to excluded namespaces [bsc#1239637, CVE-2024-55549]
* Make generate-id() deterministic [bsc#1238591, CVE-2023-40403]
Just adding the reference here as this CVE was already fixed
in 0009-Make-generate-id-deterministic.patch
* Add patches:
- libxslt-CVE-2024-55549.patch
- libxslt-CVE-2025-24855.patch
-------------------------------------------------------------------
Tue May 9 16:09:17 UTC 2023 - David Anes <david.anes@suse.com>

4
libxslt.spec
View File

@@ -40,6 +40,10 @@ Patch0: libxslt-1.1.24-no-net-autobuild.patch
# Initialize the random seed to ensure libxslt's math.random() function
# produces unpredictable outputs.
Patch1: libxslt-random-seed.patch
# PATCH-FIX-UPSTREAM bsc#1239625 CVE-2025-24855 Fix use-after-free of XPath context node
Patch2: libxslt-CVE-2024-55549.patch
# PATCH-FIX-UPSTREAM bsc#1239637 CVE-2024-55549 Fix UAF related to excluded namespaces
Patch3: libxslt-CVE-2025-24855.patch
#
### SUSE patches starts on 1000
# PATCH-FIX-SUSE