import UBI libxslt-1.1.34-9.el9_5.2

This commit is contained in:
eabdullin 2025-04-21 02:26:52 +00:00
parent 18676bc11b
commit b8d5ca2df8
2 changed files with 61 additions and 1 deletions

View File

@ -0,0 +1,55 @@
From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.
Thanks to Ivan Fratric for the report!
Fixes #127.
---
libxslt/xslt.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 7a1ce011..4f975cd2 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
* in case of error
*/
static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
{
+ xmlChar *value;
int i;
- if (style->exclPrefixMax == 0) {
- style->exclPrefixMax = 4;
- style->exclPrefixTab =
- (xmlChar * *)xmlMalloc(style->exclPrefixMax *
- sizeof(style->exclPrefixTab[0]));
- if (style->exclPrefixTab == NULL) {
- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
- return (-1);
- }
- }
+ /*
+ * orig can come from a namespace definition on a node which
+ * could be deleted later, for example in xsltParseTemplateContent.
+ * Store the string in stylesheet's dict to avoid use after free.
+ */
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+ if (value == NULL)
+ return(-1);
+
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))
--
2.49.0

View File

@ -1,7 +1,7 @@
Name: libxslt
Summary: Library providing the Gnome XSLT engine
Version: 1.1.34
Release: 9%{?dist}.1
Release: 9%{?dist}.2
License: MIT
URL: http://xmlsoft.org/XSLT
@ -26,6 +26,8 @@ Patch4: libxslt-1.1.34-tutorial2-dtd.patch
Patch5: libxslt-1.1.34-test-fuzz-build.patch
# https://issues.redhat.com/browse/RHEL-83501
Patch6: libxslt-1.1.34-CVE-2025-24855.patch
# https://issues.redhat.com/browse/RHEL-83515
Patch7: libxslt-1.1.34-CVE-2024-55549.patch
%description
This C library allows to transform XML files into other XML files
@ -132,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
%endif
%changelog
* Thu Apr 17 2025 David King <dking@redhat.com> - 1.1.34-9.2
- Fix CVE-2024-55549 (RHEL-83515)
* Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-9.1
- Fix CVE-2025-24855 (RHEL-83501)