From 72b4e3d73ae12b500862861f4ab169583f7ff596 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 14 May 2025 18:11:43 +0000 Subject: [PATCH] import UBI libxslt-1.1.39-7.el10_0 --- .gitignore | 2 +- .libxslt.metadata | 1 - SOURCES/libxslt-1.1.26-utf8-docs.patch | 103 ------ SOURCES/libxslt-1.1.32-CVE-2019-11068.patch | 120 ------- SOURCES/libxslt-1.1.32-CVE-2019-18197.patch | 30 -- SOURCES/libxslt-1.1.32-CVE-2024-55549.patch | 103 ------ .../libxslt-1.1.32-unexpected-rvt-flag.patch | 313 ------------------ libxslt-1.1.39-CVE-2024-55549.patch | 45 +++ ...tch => libxslt-1.1.39-CVE-2025-24855.patch | 12 +- SPECS/libxslt.spec => libxslt.spec | 210 ++++++++---- SOURCES/multilib.patch => multilib.patch | 0 SOURCES/multilib2.patch => multilib2.patch | 0 sources | 1 + 13 files changed, 200 insertions(+), 740 deletions(-) delete mode 100644 .libxslt.metadata delete mode 100644 SOURCES/libxslt-1.1.26-utf8-docs.patch delete mode 100644 SOURCES/libxslt-1.1.32-CVE-2019-11068.patch delete mode 100644 SOURCES/libxslt-1.1.32-CVE-2019-18197.patch delete mode 100644 SOURCES/libxslt-1.1.32-CVE-2024-55549.patch delete mode 100644 SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch create mode 100644 libxslt-1.1.39-CVE-2024-55549.patch rename SOURCES/libxslt-1.1.32-CVE-2025-24855.patch => libxslt-1.1.39-CVE-2025-24855.patch (93%) rename SPECS/libxslt.spec => libxslt.spec (64%) rename SOURCES/multilib.patch => multilib.patch (100%) rename SOURCES/multilib2.patch => multilib2.patch (100%) create mode 100644 sources diff --git a/.gitignore b/.gitignore index 808486e..e6fba33 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libxslt-1.1.32.tar.gz +libxslt-1.1.39.tar.xz diff --git a/.libxslt.metadata b/.libxslt.metadata deleted file mode 100644 index 3907fd6..0000000 --- a/.libxslt.metadata +++ /dev/null @@ -1 +0,0 @@ -c47969f16747a72f9095b6a7a56d3afdd1e6e9ac SOURCES/libxslt-1.1.32.tar.gz diff --git a/SOURCES/libxslt-1.1.26-utf8-docs.patch b/SOURCES/libxslt-1.1.26-utf8-docs.patch deleted file mode 100644 index 537718f..0000000 --- a/SOURCES/libxslt-1.1.26-utf8-docs.patch +++ /dev/null @@ -1,103 +0,0 @@ ---- libxslt-1.1.26/ChangeLog.utf8 2009-07-24 10:16:49.000000000 +0200 -+++ libxslt-1.1.26/ChangeLog 2011-03-20 03:28:28.142684293 +0100 -@@ -284,7 +284,7 @@ - - Thu Aug 23 11:47:20 CEST 2007 Daniel Veillard - -- * libexslt/date.c: apply patch from Björn Wiberg fixing build on AIX -+ * libexslt/date.c: apply patch from Björn Wiberg fixing build on AIX - and closing bug #332173 - - Fri Aug 3 15:49:26 CEST 2007 Daniel Veillard -@@ -2112,7 +2112,7 @@ - Tue Feb 17 11:29:15 CET 2004 Daniel Veillard - - * libxslt/templates.c: applied patch from #134588 provided by -- Mariano Suárez-Alvarez, attribute text node without doc. -+ Mariano Suárez-Alvarez, attribute text node without doc. - - Mon Feb 16 15:55:57 CET 2004 Daniel Veillard - -@@ -3121,7 +3121,7 @@ - * python/generator.py: fixed a problem in the generator where - the way functions are remapped as methods on classes was - not symetric and dependant on python internal hash order, -- as reported by Stéphane Bidoul -+ as reported by Stéphane Bidoul - * libexslt/strings.c: attempt at fixing an object type pbm - * libxslt/triodef.h: update for OpenVMS from libxml2 - -@@ -3497,7 +3497,7 @@ - - Thu Jan 2 23:23:30 CET 2003 Daniel Veillard - -- * libexslt/strings.c: applied patch from Jörg Walter to provide -+ * libexslt/strings.c: applied patch from Jörg Walter to provide - URI escaping and unescaping functions. - - Thu Dec 26 15:43:31 CET 2002 Daniel Veillard -@@ -3507,7 +3507,7 @@ - - Mon Dec 23 15:43:59 CET 2002 Daniel Veillard - -- * python/libxslt.c: patch from Stéphane Bidoul for Python 2.1 -+ * python/libxslt.c: patch from Stéphane Bidoul for Python 2.1 - - Sun Dec 22 22:54:04 CET 2002 Daniel Veillard - -@@ -3648,7 +3648,7 @@ - - Sun Nov 24 13:58:48 CET 2002 Daniel Veillard - -- * python/libxsl.py: updated with new version from Stéphane Bidoul -+ * python/libxsl.py: updated with new version from Stéphane Bidoul - - Sat Nov 23 22:49:08 CET 2002 Igor Zlatkovic - -@@ -5036,7 +5036,7 @@ - - Mon Nov 26 11:21:27 CET 2001 Daniel Veillard - -- * libxslt/pattern.c: fixing bug #64044 reported by Gero Meißner, -+ * libxslt/pattern.c: fixing bug #64044 reported by Gero Meißner, - template matches compilation was failing to skip blanks bewteen - consecutive predicates - -@@ -5119,7 +5119,7 @@ - - Tue Oct 30 19:32:08 CET 2001 Daniel Veillard - -- * configure.in: applied patches from David Härdeman closing -+ * configure.in: applied patches from David Härdeman closing - bug #62891 - - Tue Oct 30 15:25:19 CET 2001 Daniel Veillard ---- libxslt-1.1.26/NEWS.utf8 2009-09-24 16:38:20.000000000 +0200 -+++ libxslt-1.1.26/NEWS 2011-03-20 03:27:37.440684281 +0100 -@@ -312,7 +312,7 @@ - - - 1.1.4: Feb 23 2004: -- - bugfixes: attributes without doc (Mariano Suárez-Alvarez), problem with -+ - bugfixes: attributes without doc (Mariano Suárez-Alvarez), problem with - Yelp, extension problem - - display extension modules (Steve Little) - - Windows compilation patch (Mark Vadoc), Mingw (Mikhail Grushinskiy) -@@ -472,7 +472,7 @@ - - - 1.0.24: Jan 14 2003: -- - bug fixes: imported global varables, python bindings (Stéphane Bidoul), -+ - bug fixes: imported global varables, python bindings (Stéphane Bidoul), - EXSLT memory leak (Charles Bozeman), namespace generation on - xsl:attribute, space handling with imports (Daniel Stodden), - extension-element-prefixes (Josh Parsons), comments within xsl:text (Matt -@@ -485,7 +485,7 @@ - - fix the API generation scripts - - API to provide the sorting routines (Richard Jinks) - - added XML description of the EXSLT API -- - added ESXLT URI (un)escaping (Jörg Walter) -+ - added ESXLT URI (un)escaping (Jörg Walter) - - Some memory leaks have been found and fixed - - document() now support fragment identifiers in URIs - diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch deleted file mode 100644 index 62007d6..0000000 --- a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch +++ /dev/null @@ -1,120 +0,0 @@ -From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sun, 24 Mar 2019 09:51:39 +0100 -Subject: [PATCH] Fix security framework bypass - -xsltCheckRead and xsltCheckWrite return -1 in case of error but callers -don't check for this condition and allow access. With a specially -crafted URL, xsltCheckRead could be tricked into returning an error -because of a supposedly invalid URL that would still be loaded -succesfully later on. - -Fixes #12. - -Thanks to Felix Wilhelm for the report. ---- - libxslt/documents.c | 18 ++++++++++-------- - libxslt/imports.c | 9 +++++---- - libxslt/transform.c | 9 +++++---- - libxslt/xslt.c | 9 +++++---- - 4 files changed, 25 insertions(+), 20 deletions(-) - -diff --git a/libxslt/documents.c b/libxslt/documents.c -index 3f3a7312..4aad11bb 100644 ---- a/libxslt/documents.c -+++ b/libxslt/documents.c -@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { - int res; - - res = xsltCheckRead(ctxt->sec, ctxt, URI); -- if (res == 0) { -- xsltTransformError(ctxt, NULL, NULL, -- "xsltLoadDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(ctxt, NULL, NULL, -+ "xsltLoadDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { - int res; - - res = xsltCheckRead(sec, NULL, URI); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltLoadStyleDocument: read rights for %s denied\n", -- URI); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltLoadStyleDocument: read rights for %s denied\n", -+ URI); - return(NULL); - } - } -diff --git a/libxslt/imports.c b/libxslt/imports.c -index 874870cc..3783b247 100644 ---- a/libxslt/imports.c -+++ b/libxslt/imports.c -@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { - int secres; - - secres = xsltCheckRead(sec, NULL, URI); -- if (secres == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsl:import: read rights for %s denied\n", -- URI); -+ if (secres <= 0) { -+ if (secres == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsl:import: read rights for %s denied\n", -+ URI); - goto error; - } - } -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 13793914..0636dbd0 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, - */ - if (ctxt->sec != NULL) { - ret = xsltCheckWrite(ctxt->sec, ctxt, filename); -- if (ret == 0) { -- xsltTransformError(ctxt, NULL, inst, -- "xsltDocumentElem: write rights for %s denied\n", -- filename); -+ if (ret <= 0) { -+ if (ret == 0) -+ xsltTransformError(ctxt, NULL, inst, -+ "xsltDocumentElem: write rights for %s denied\n", -+ filename); - xmlFree(URL); - xmlFree(filename); - return; -diff --git a/libxslt/xslt.c b/libxslt/xslt.c -index 780a5ad7..a234eb79 100644 ---- a/libxslt/xslt.c -+++ b/libxslt/xslt.c -@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { - int res; - - res = xsltCheckRead(sec, NULL, filename); -- if (res == 0) { -- xsltTransformError(NULL, NULL, NULL, -- "xsltParseStylesheetFile: read rights for %s denied\n", -- filename); -+ if (res <= 0) { -+ if (res == 0) -+ xsltTransformError(NULL, NULL, NULL, -+ "xsltParseStylesheetFile: read rights for %s denied\n", -+ filename); - return(NULL); - } - } --- -2.24.1 - diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch deleted file mode 100644 index a8c7cf5..0000000 --- a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 17 Aug 2019 16:51:53 +0200 -Subject: [PATCH] Fix dangling pointer in xsltCopyText - -xsltCopyText didn't reset ctxt->lasttext in some cases which could -lead to various memory errors in relation with CDATA sections in input -documents. - -Found by OSS-Fuzz. ---- - libxslt/transform.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 95ebd073..d7ab0b66 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target, - if ((copy->content = xmlStrdup(cur->content)) == NULL) - return NULL; - } -+ -+ ctxt->lasttext = NULL; - } else { - /* - * normal processing. keep counters to extend the text node --- -2.22.0 - diff --git a/SOURCES/libxslt-1.1.32-CVE-2024-55549.patch b/SOURCES/libxslt-1.1.32-CVE-2024-55549.patch deleted file mode 100644 index 64c0b91..0000000 --- a/SOURCES/libxslt-1.1.32-CVE-2024-55549.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 21 Mar 2023 12:19:50 +0100 -Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush - -Found by OSS-Fuzz, see #84. ---- - libxslt/xslt.c | 24 ++++++++---------------- - 1 file changed, 8 insertions(+), 16 deletions(-) - -diff --git a/libxslt/xslt.c b/libxslt/xslt.c -index 7a1ce011..6d4126a1 100644 ---- a/libxslt/xslt.c -+++ b/libxslt/xslt.c -@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) - { - int i; - -- if (style->exclPrefixMax == 0) { -- style->exclPrefixMax = 4; -- style->exclPrefixTab = -- (xmlChar * *)xmlMalloc(style->exclPrefixMax * -- sizeof(style->exclPrefixTab[0])); -- if (style->exclPrefixTab == NULL) { -- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n"); -- return (-1); -- } -- } - /* do not push duplicates */ - for (i = 0;i < style->exclPrefixNr;i++) { - if (xmlStrEqual(style->exclPrefixTab[i], value)) - return(-1); - } - if (style->exclPrefixNr >= style->exclPrefixMax) { -- style->exclPrefixMax *= 2; -- style->exclPrefixTab = -- (xmlChar * *)xmlRealloc(style->exclPrefixTab, -- style->exclPrefixMax * -- sizeof(style->exclPrefixTab[0])); -- if (style->exclPrefixTab == NULL) { -+ xmlChar **tmp; -+ size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4; -+ -+ tmp = xmlRealloc(style->exclPrefixTab, -+ max * sizeof(style->exclPrefixTab[0])); -+ if (tmp == NULL) { - xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); - return (-1); - } -+ style->exclPrefixTab = tmp; -+ style->exclPrefixMax = max; - } - style->exclPrefixTab[style->exclPrefixNr] = value; - style->exclPrefix = value; --- -2.49.0 - - -From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Thu, 5 Dec 2024 12:43:19 +0100 -Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces - -Definitions of excluded namespaces could be deleted in -xsltParseTemplateContent. Store excluded namespace URIs in the -stylesheet's dictionary instead of referencing the namespace definition. - -Thanks to Ivan Fratric for the report! - -Fixes #127. ---- - libxslt/xslt.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/libxslt/xslt.c b/libxslt/xslt.c -index 6d4126a1..11681a13 100644 ---- a/libxslt/xslt.c -+++ b/libxslt/xslt.c -@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style, - * in case of error - */ - static int --exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) -+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) - { -+ xmlChar *value; - int i; - -+ /* -+ * orig can come from a namespace definition on a node which -+ * could be deleted later, for example in xsltParseTemplateContent. -+ * Store the string in stylesheet's dict to avoid use after free. -+ */ -+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); -+ if (value == NULL) -+ return(-1); -+ - /* do not push duplicates */ - for (i = 0;i < style->exclPrefixNr;i++) { - if (xmlStrEqual(style->exclPrefixTab[i], value)) --- -2.49.0 - diff --git a/SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch b/SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch deleted file mode 100644 index 465616f..0000000 --- a/SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch +++ /dev/null @@ -1,313 +0,0 @@ -From 7d81bd62d5788a9e2931c20a3d0a6be7e703c608 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 23 Jul 2018 22:52:12 +0200 -Subject: [PATCH] Fix EXSLT functions returning RVTs from outer scopes - -The RVTs referenced from function results must not be blindly registered -as local, as they might be part of variables from an outer scope. Remove -LOCAL/VARIABLE distinction for RVTs. Don't register as local RVT -unconditionally when reflagging as LOCAL. Instead, register function -result RVTs from inner variables as local RVTs when they're released in -xsltFreeStackElem. Keep local function result RVTs xsltReleaseLocalRVTs -instead of reregistering. - -Closes: https://gitlab.gnome.org/GNOME/libxslt/issues/2 - -Thanks to Daniel Mendler and Martin Gieseking for the reports. ---- - libexslt/functions.c | 11 ++++++++++- - libxslt/transform.c | 17 ++++++++++++++--- - libxslt/variables.c | 27 +++++++++++---------------- - libxslt/variables.h | 12 ++---------- - tests/docs/bug-210.xml | 1 + - tests/docs/bug-211.xml | 1 + - tests/general/bug-210.out | 2 ++ - tests/general/bug-210.xsl | 20 ++++++++++++++++++++ - tests/general/bug-211.out | 2 ++ - tests/general/bug-211.xsl | 26 ++++++++++++++++++++++++++ - 10 files changed, 89 insertions(+), 30 deletions(-) - create mode 100644 tests/docs/bug-210.xml - create mode 100644 tests/docs/bug-211.xml - create mode 100644 tests/general/bug-210.out - create mode 100644 tests/general/bug-210.xsl - create mode 100644 tests/general/bug-211.out - create mode 100644 tests/general/bug-211.xsl - -diff --git a/libexslt/functions.c b/libexslt/functions.c -index 2b83ca34..b7b968f8 100644 ---- a/libexslt/functions.c -+++ b/libexslt/functions.c -@@ -426,7 +426,15 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) { - } - } - /* -- * actual processing -+ * Actual processing. Note that contextVariable is set to NULL which -+ * means that RVTs returned from functions always end up as local RVTs, -+ * not as variable fragments if the function is called in the select -+ * expression of an xsl:variable. This is a hack that only works because -+ * xsltReleaseLocalRVTs isn't called after processing xsl:variable. -+ * -+ * It would probably be better to remove the fragile contextVariable -+ * logic and make xsltEvalVariable move the required RVTs into the -+ * variable manually. - */ - fake = xmlNewDocNode(tctxt->output, NULL, - (const xmlChar *)"fake", NULL); -@@ -766,6 +774,7 @@ exsltFuncResultElem (xsltTransformContextPtr ctxt, - return; - } - /* Mark as function result. */ -+ xsltRegisterLocalRVT(ctxt, container); - container->psvi = XSLT_RVT_FUNC_RESULT; - - oldInsert = ctxt->insert; -diff --git a/libxslt/transform.c b/libxslt/transform.c -index 90d2731d..d7af31f1 100644 ---- a/libxslt/transform.c -+++ b/libxslt/transform.c -@@ -2295,6 +2295,7 @@ static void - xsltReleaseLocalRVTs(xsltTransformContextPtr ctxt, xmlDocPtr base) - { - xmlDocPtr cur = ctxt->localRVT, tmp; -+ xmlDocPtr prev = NULL; - - if (cur == base) - return; -@@ -2308,16 +2309,26 @@ xsltReleaseLocalRVTs(xsltTransformContextPtr ctxt, xmlDocPtr base) - xsltReleaseRVT(ctxt, tmp); - } else if (tmp->psvi == XSLT_RVT_GLOBAL) { - xsltRegisterPersistRVT(ctxt, tmp); -- } else if (tmp->psvi != XSLT_RVT_FUNC_RESULT) { -+ } else if (tmp->psvi == XSLT_RVT_FUNC_RESULT) { -+ if (prev == NULL) -+ ctxt->localRVT = tmp; -+ else -+ prev->next = (xmlNodePtr) tmp; -+ tmp->prev = (xmlNodePtr) prev; -+ prev = tmp; -+ } else { - xmlGenericError(xmlGenericErrorContext, - "xsltReleaseLocalRVTs: Unexpected RVT flag %p\n", - tmp->psvi); - } - } while (cur != base); - -+ if (prev == NULL) -+ ctxt->localRVT = base; -+ else -+ prev->next = (xmlNodePtr) base; - if (base != NULL) -- base->prev = NULL; -- ctxt->localRVT = base; -+ base->prev = (xmlNodePtr) prev; - } - - /** -diff --git a/libxslt/variables.c b/libxslt/variables.c -index fe6f299c..8f88e573 100644 ---- a/libxslt/variables.c -+++ b/libxslt/variables.c -@@ -123,7 +123,7 @@ xsltRegisterTmpRVT(xsltTransformContextPtr ctxt, xmlDocPtr RVT) - return(-1); - - RVT->prev = NULL; -- RVT->psvi = XSLT_RVT_VARIABLE; -+ RVT->psvi = XSLT_RVT_LOCAL; - - /* - * We'll restrict the lifetime of user-created fragments -@@ -163,6 +163,7 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt, - return(-1); - - RVT->prev = NULL; -+ RVT->psvi = XSLT_RVT_LOCAL; - - /* - * When evaluating "select" expressions of xsl:variable -@@ -173,7 +174,6 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt, - if ((ctxt->contextVariable != NULL) && - (XSLT_TCTXT_VARIABLE(ctxt)->flags & XSLT_VAR_IN_SELECT)) - { -- RVT->psvi = XSLT_RVT_VARIABLE; - RVT->next = (xmlNodePtr) XSLT_TCTXT_VARIABLE(ctxt)->fragment; - XSLT_TCTXT_VARIABLE(ctxt)->fragment = RVT; - return(0); -@@ -183,7 +183,6 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt, - * If not reference by a returning instruction (like EXSLT's function), - * then this fragment will be freed, when the instruction exits. - */ -- RVT->psvi = XSLT_RVT_LOCAL; - RVT->next = (xmlNodePtr) ctxt->localRVT; - if (ctxt->localRVT != NULL) - ctxt->localRVT->prev = (xmlNodePtr) RVT; -@@ -314,14 +313,8 @@ xsltFlagRVTs(xsltTransformContextPtr ctxt, xmlXPathObjectPtr obj, void *val) { - #endif - - if (val == XSLT_RVT_LOCAL) { -- if (doc->psvi != XSLT_RVT_FUNC_RESULT) { -- xmlGenericError(xmlGenericErrorContext, -- "xsltFlagRVTs: Invalid transition %p => LOCAL\n", -- doc->psvi); -- return(-1); -- } -- -- xsltRegisterLocalRVT(ctxt, doc); -+ if (doc->psvi == XSLT_RVT_FUNC_RESULT) -+ doc->psvi = XSLT_RVT_LOCAL; - } else if (val == XSLT_RVT_GLOBAL) { - if (doc->psvi != XSLT_RVT_LOCAL) { - xmlGenericError(xmlGenericErrorContext, -@@ -585,10 +578,12 @@ xsltFreeStackElem(xsltStackElemPtr elem) { - cur = elem->fragment; - elem->fragment = (xmlDocPtr) cur->next; - -- if (cur->psvi == XSLT_RVT_VARIABLE) { -- xsltReleaseRVT((xsltTransformContextPtr) elem->context, -- cur); -- } else if (cur->psvi != XSLT_RVT_FUNC_RESULT) { -+ if (cur->psvi == XSLT_RVT_LOCAL) { -+ xsltReleaseRVT(elem->context, cur); -+ } else if (cur->psvi == XSLT_RVT_FUNC_RESULT) { -+ xsltRegisterLocalRVT(elem->context, cur); -+ cur->psvi = XSLT_RVT_FUNC_RESULT; -+ } else { - xmlGenericError(xmlGenericErrorContext, - "xsltFreeStackElem: Unexpected RVT flag %p\n", - cur->psvi); -@@ -992,7 +987,7 @@ xsltEvalVariable(xsltTransformContextPtr ctxt, xsltStackElemPtr variable, - * the Result Tree Fragment. - */ - variable->fragment = container; -- container->psvi = XSLT_RVT_VARIABLE; -+ container->psvi = XSLT_RVT_LOCAL; - - oldOutput = ctxt->output; - oldInsert = ctxt->insert; -diff --git a/libxslt/variables.h b/libxslt/variables.h -index 24acf8d1..039288fb 100644 ---- a/libxslt/variables.h -+++ b/libxslt/variables.h -@@ -45,14 +45,6 @@ extern "C" { - */ - #define XSLT_RVT_LOCAL ((void *)1) - --/** -- * XSLT_RVT_VARIABLE: -- * -- * RVT is part of a local variable and destroyed after the variable goes out -- * of scope. -- */ --#define XSLT_RVT_VARIABLE ((void *)2) -- - /** - * XSLT_RVT_FUNC_RESULT: - * -@@ -60,14 +52,14 @@ extern "C" { - * destroyed after exiting a template and will be reset to XSLT_RVT_LOCAL or - * XSLT_RVT_VARIABLE in the template that receives the return value. - */ --#define XSLT_RVT_FUNC_RESULT ((void *)3) -+#define XSLT_RVT_FUNC_RESULT ((void *)2) - - /** - * XSLT_RVT_GLOBAL: - * - * RVT is part of a global variable. - */ --#define XSLT_RVT_GLOBAL ((void *)4) -+#define XSLT_RVT_GLOBAL ((void *)3) - - /* - * Interfaces for the variable module. -diff --git a/tests/docs/bug-210.xml b/tests/docs/bug-210.xml -new file mode 100644 -index 00000000..69d62f2c ---- /dev/null -+++ b/tests/docs/bug-210.xml -@@ -0,0 +1 @@ -+ -diff --git a/tests/docs/bug-211.xml b/tests/docs/bug-211.xml -new file mode 100644 -index 00000000..69d62f2c ---- /dev/null -+++ b/tests/docs/bug-211.xml -@@ -0,0 +1 @@ -+ -diff --git a/tests/general/bug-210.out b/tests/general/bug-210.out -new file mode 100644 -index 00000000..445906d6 ---- /dev/null -+++ b/tests/general/bug-210.out -@@ -0,0 +1,2 @@ -+ -+value -diff --git a/tests/general/bug-210.xsl b/tests/general/bug-210.xsl -new file mode 100644 -index 00000000..1915171d ---- /dev/null -+++ b/tests/general/bug-210.xsl -@@ -0,0 +1,20 @@ -+ -+ -+ -+ -+ value -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -diff --git a/tests/general/bug-211.out b/tests/general/bug-211.out -new file mode 100644 -index 00000000..7b3cf11c ---- /dev/null -+++ b/tests/general/bug-211.out -@@ -0,0 +1,2 @@ -+ -+__ -diff --git a/tests/general/bug-211.xsl b/tests/general/bug-211.xsl -new file mode 100644 -index 00000000..557f5fb3 ---- /dev/null -+++ b/tests/general/bug-211.xsl -@@ -0,0 +1,26 @@ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ --- -GitLab - diff --git a/libxslt-1.1.39-CVE-2024-55549.patch b/libxslt-1.1.39-CVE-2024-55549.patch new file mode 100644 index 0000000..a374105 --- /dev/null +++ b/libxslt-1.1.39-CVE-2024-55549.patch @@ -0,0 +1,45 @@ +From 7f24858ae0f26e610a5a9a6f2a216fa6469c52d1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 Dec 2024 12:43:19 +0100 +Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces + +Definitions of excluded namespaces could be deleted in +xsltParseTemplateContent. Store excluded namespace URIs in the +stylesheet's dictionary instead of referencing the namespace definition. + +Thanks to Ivan Fratric for the report! + +Fixes #127. +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 39a700b0..9a081cd1 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr style, + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { ++ xmlChar *value; + int i; + ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); ++ + /* do not push duplicates */ + for (i = 0;i < style->exclPrefixNr;i++) { + if (xmlStrEqual(style->exclPrefixTab[i], value)) +-- +2.49.0 + diff --git a/SOURCES/libxslt-1.1.32-CVE-2025-24855.patch b/libxslt-1.1.39-CVE-2025-24855.patch similarity index 93% rename from SOURCES/libxslt-1.1.32-CVE-2025-24855.patch rename to libxslt-1.1.39-CVE-2025-24855.patch index 4025672..e851422 100644 --- a/SOURCES/libxslt-1.1.32-CVE-2025-24855.patch +++ b/libxslt-1.1.39-CVE-2025-24855.patch @@ -1,4 +1,4 @@ -From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001 +From 1dbe5519852f9c24706ca55ab01367acc1a7ee0a Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Tue, 17 Dec 2024 15:56:21 +0100 Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node @@ -27,10 +27,10 @@ Fixes #128. 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/libxslt/numbers.c b/libxslt/numbers.c -index 0e1fa136..741124d1 100644 +index 3cd881e3..566df030 100644 --- a/libxslt/numbers.c +++ b/libxslt/numbers.c -@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, +@@ -713,9 +713,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, int amount = 0; xmlBufferPtr pattern; xmlXPathObjectPtr obj; @@ -43,7 +43,7 @@ index 0e1fa136..741124d1 100644 xmlBufferCCat(pattern, "number("); xmlBufferCat(pattern, value); xmlBufferCCat(pattern, ")"); -@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, +@@ -728,6 +731,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, xmlXPathFreeObject(obj); } xmlBufferFree(pattern); @@ -102,7 +102,7 @@ index f08b9bda..1c8d96e2 100644 ctxt->xpathCtxt->proximityPosition = oldPos; ctxt->xpathCtxt->nsNr = oldNsNr; diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c -index 0e9dc62f..a20da961 100644 +index 3705d28f..9afb4520 100644 --- a/libxslt/xsltutils.c +++ b/libxslt/xsltutils.c @@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, @@ -126,5 +126,5 @@ index 0e9dc62f..a20da961 100644 ctxt->xpathCtxt->proximityPosition = oldPos; ctxt->xpathCtxt->nsNr = oldNsNr; -- -GitLab +2.49.0 diff --git a/SPECS/libxslt.spec b/libxslt.spec similarity index 64% rename from SPECS/libxslt.spec rename to libxslt.spec index 0a32a81..afb042d 100644 --- a/SPECS/libxslt.spec +++ b/libxslt.spec @@ -1,42 +1,30 @@ -%if 0%{?rhel} > 7 -# Disable python2 build by default -%bcond_with python2 -%else -%bcond_without python2 -%endif - Name: libxslt Summary: Library providing the Gnome XSLT engine -Version: 1.1.32 -Release: 6.1%{?dist} +Version: 1.1.39 +Release: 7%{?dist} License: MIT -URL: http://xmlsoft.org/XSLT -Source: ftp://xmlsoft.org/XSLT/%{name}-%{version}.tar.gz +URL: https://gitlab.gnome.org/GNOME/libxslt +Source0: https://download.gnome.org/sources/%{name}/1.1/%{name}-%{version}.tar.xz + +Provides: xsltproc = %{version}-%{release} BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool BuildRequires: make BuildRequires: gcc -BuildRequires: %{_bindir}/libgcrypt-config BuildRequires: pkgconfig(libxml-2.0) >= 2.6.27 +BuildRequires: python3-devel # Fedora specific patches Patch0: multilib.patch -Patch1: libxslt-1.1.26-utf8-docs.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1765632 -Patch2: multilib2.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1775517 -Patch3: libxslt-1.1.32-CVE-2019-18197.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1715732 -Patch4: libxslt-1.1.32-CVE-2019-11068.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1860467 -Patch5: libxslt-1.1.32-unexpected-rvt-flag.patch -# https://issues.redhat.com/browse/RHEL-83506 -Patch6: libxslt-1.1.32-CVE-2024-55549.patch -# https://issues.redhat.com/browse/RHEL-83492 -Patch7: libxslt-1.1.32-CVE-2025-24855.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1467435 +Patch1: multilib2.patch +# https://issues.redhat.com/browse/RHEL-83503 +Patch2: libxslt-1.1.39-CVE-2024-55549.patch +# https://issues.redhat.com/browse/RHEL-83489 +Patch3: libxslt-1.1.39-CVE-2025-24855.patch %description This C library allows to transform XML files into other XML files @@ -47,27 +35,25 @@ installed. The xsltproc command is a command line interface to the XSLT engine %package devel Summary: Development libraries and header files for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: libgcrypt-devel%{?_isa} Requires: libgpg-error-devel%{?_isa} %description devel The %{name}-devel package contains libraries and header files for developing applications that use %{name}. -%if %{with python2} -%package -n python2-libxslt -Summary: Python 2 bindings for %{name} -BuildRequires: python2-devel -BuildRequires: python2-libxml2 +%if 0%{?fedora} +# Upstream package has not been ported to Python 3. I have +# converted this section so it could be used to compile the +# Python 3 bindings one day once that has happened, but +# commented it out. - RWMJ 2019-09-10 +%package -n python3-libxslt +Summary: Python 3 bindings for %{name} +BuildRequires: python3-libxml2 Requires: %{name}%{?_isa} = %{version}-%{release} -Requires: python2-libxml2 -%{?python_provide:%python_provide python2-libxslt} -# Remove before F30 -Provides: %{name}-python = %{version}-%{release} -Provides: %{name}-python%{?_isa} = %{version}-%{release} -Obsoletes: %{name}-python < %{version}-%{release} +Requires: python3-libxml2 +%{?python_provide:%python_provide python3-%{name}} -%description -n python2-libxslt +%description -n python3-libxslt The libxslt-python package contains a module that permits applications written in the Python programming language to use the interface supplied by the libxslt library to apply XSLT transformations. @@ -76,7 +62,7 @@ This library allows to parse sytlesheets, uses the libxml2-python to load and save XML and HTML files. Direct access to XPath and the XSLT transformation context are possible to extend the XSLT language with XPath functions written in Python. -%endif # with python2 +%endif %prep %autosetup -p1 @@ -84,7 +70,17 @@ chmod 644 python/tests/* %build autoreconf -vfi -%configure --disable-static --disable-silent-rules +#export PYTHON=%{__python3} +#%configure --disable-static --disable-silent-rules --with-python +%configure \ + --disable-static \ + --disable-silent-rules \ +%if 0%{?fedora} + --with-python=yes \ +%else + --with-python=no \ +%endif + --with-crypto=no %make_build %install @@ -101,7 +97,7 @@ rm -vrf %{buildroot}%{_docdir} %files %license Copyright -%doc AUTHORS ChangeLog NEWS README FEATURES +%doc AUTHORS NEWS README.md FEATURES %{_bindir}/xsltproc %{_libdir}/libxslt.so.* %{_libdir}/libexslt.so.* @@ -110,16 +106,16 @@ rm -vrf %{buildroot}%{_docdir} %files devel %doc doc/libxslt-api.xml -%doc doc/libxslt-refs.xml %doc doc/EXSLT/libexslt-api.xml -%doc doc/EXSLT/libexslt-refs.xml %doc %{_mandir}/man3/libxslt.3* %doc %{_mandir}/man3/libexslt.3* -%doc doc/*.html doc/html doc/*.gif doc/*.png -%doc doc/images +#%doc doc/*.html doc/html doc/*.gif doc/*.png +#%doc doc/images %doc doc/tutorial %doc doc/tutorial2 -%doc doc/EXSLT +#%%doc doc/EXSLT +%{_datadir}/gtk-doc/ +%{_libdir}/cmake/libxslt/ %{_libdir}/libxslt.so %{_libdir}/libexslt.so %{_libdir}/xsltConf.sh @@ -130,33 +126,121 @@ rm -vrf %{buildroot}%{_docdir} %{_libdir}/pkgconfig/libexslt.pc %{_bindir}/xslt-config -%if %{with python2} -%files -n python2-libxslt -%{python2_sitearch}/libxslt.py* -%{python2_sitearch}/libxsltmod.so +%if 0%{?fedora} +%files -n python3-libxslt +%{python3_sitelib}/libxslt.py* +%{python3_sitearch}/libxsltmod.so +%{python3_sitelib}/__pycache__/libxslt* %doc python/libxsltclass.txt %doc python/tests/*.py %doc python/tests/*.xml %doc python/tests/*.xsl -%endif # with python2 +%endif %changelog -* Fri Apr 04 2025 David King - 1.1.32-6.1 -- Fix CVE-2024-55549 (RHEL-83506) -- Fix CVE-2025-24855 (RHEL-83492) +* Fri Apr 04 2025 David King - 1.1.39-7 +- Fix CVE-2024-55549 (RHEL-83503) +- Fix CVE-2025-24855 (RHEL-83489) -* Mon Aug 24 2020 David King - 1.1.32-6 -- Fix unexpected RVT flag error (#1860467) +* Tue Oct 29 2024 Troy Dawson - 1.1.39-6 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 -* Thu Jan 09 2020 David King - 1.1.32-5 -- Fix CVE-2019-18197 (#1775517) -- Fix CVE-2019-11068 (#1715732) +* Tue Aug 06 2024 Tomas Popela - 1.1.39-5 +- Only build python support on Fedora -* Thu Jan 09 2020 David King - 1.1.32-4 -- Fix multilib issues with devel subpackage (#1765632) +* Mon Jun 24 2024 Troy Dawson - 1.1.39-4 +- Bump release for June 2024 mass rebuild -* Mon Jun 25 2018 Charalampos Stratakis - 1.1.32-3 -- Conditionalize the python2 subpackage +* Thu Jan 25 2024 Fedora Release Engineering - 1.1.39-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1.1.39-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Nov 16 2023 Gwyn Ciesla - 1.1.39-1 +- 1.1.39 + +* Thu Jul 20 2023 Fedora Release Engineering - 1.1.38-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Jun 13 2023 Python Maint - 1.1.38-2 +- Rebuilt for Python 3.12 + +* Mon May 08 2023 Gwyn Ciesla - 1.1.38-1 +- 1.1.38 + +* Sun Mar 05 2023 Gwyn Ciesla - 1.1.37-3 +- migrated to SPDX license + +* Thu Jan 19 2023 Fedora Release Engineering - 1.1.37-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Aug 29 2022 Gwyn Ciesla - 1.1.37-1 +- 1.1.37 + +* Wed Aug 17 2022 Gwyn Ciesla - 1.1.36-1 +- 1.1.36 + +* Thu Jul 21 2022 Fedora Release Engineering - 1.1.35-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jun 16 2022 Gwyn Ciesla - 1.1.35-2 +- Exclude arch-specific Makefile from -devel. + +* Wed Feb 16 2022 David King - 1.1.35-1 +- Update to 1.1.35 + +* Thu Jan 20 2022 Fedora Release Engineering - 1.1.34-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Jul 22 2021 Fedora Release Engineering - 1.1.34-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 1.1.34-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Sep 14 2020 Gwyn Ciesla - 1.1.34-4 +- Patch for incorrect man page stylesheet. + +* Tue Sep 1 2020 Simo Sorce - 1.1.34-3 +- Drop crypto dependency. +- The "cryptography" implemented in exslt is outdated and bad supporting only + insecure algorithms (RC4, SHA1, MD5, MD4), and should not be used anyway. + +* Tue Jul 28 2020 Fedora Release Engineering - 1.1.34-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Mar 09 2020 Gwyn Ciesla - 1.1.34-1 +- 1.1.34 + +* Wed Jan 29 2020 Fedora Release Engineering - 1.1.33-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Oct 11 2019 Jakub Jelen - 1.1.33-4 +- Do not build python bindings even if the python is available +- Fix CVE-2019-13117 (#1728547) +- Fix CVE-2019-13118 (#1728542) + +* Tue Sep 10 2019 Richard W.M. Jones - 1.1.33-3 +- Comment out Python bindings until upstream can convert them to Python 3. + +* Thu Jul 25 2019 Fedora Release Engineering - 1.1.33-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jun 07 2019 David King - 1.1.33-1 +- Update to 1.1.33 +- Fix CVE-2019-11068 (#1709698) + +* Mon May 06 2019 Artem S. Tashkinov - 1.1.32-5 +- Apply an extra patch to fix PR1467435 and make it possible to coinstall + libxslt-devel.x64 and libxslt-devel.i686 + +* Fri Feb 01 2019 Fedora Release Engineering - 1.1.32-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jul 13 2018 Fedora Release Engineering - 1.1.32-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Fri Feb 09 2018 Igor Gnatenko - 1.1.32-2 - Fix typo in Requires diff --git a/SOURCES/multilib.patch b/multilib.patch similarity index 100% rename from SOURCES/multilib.patch rename to multilib.patch diff --git a/SOURCES/multilib2.patch b/multilib2.patch similarity index 100% rename from SOURCES/multilib2.patch rename to multilib2.patch diff --git a/sources b/sources new file mode 100644 index 0000000..4c2f254 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libxslt-1.1.39.tar.xz) = c0c99dc63f8b2acb6cc3ad7ad684ffa2a427ee8d1740495cbf8a7c9b9c8679f96351b4b676c73ccc191014db4cb4ab42b9a0070f6295565f39dbc665c5c16f89