import UBI libxslt-1.1.34-9.el9_5.2

2025-04-21 02:26:52 +00:00 · 2025-04-21 02:26:52 +00:00 · b8d5ca2df8
commit b8d5ca2df8
parent 18676bc11b
2 changed files with 61 additions and 1 deletions
--- a/SOURCES/libxslt-1.1.34-CVE-2024-55549.patch
+++ b/SOURCES/libxslt-1.1.34-CVE-2024-55549.patch
@ -0,0 +1,55 @@
+From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 7a1ce011..4f975cd2 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
+    xmlChar *value;
+     int i;
+ 
+-    if (style->exclPrefixMax == 0) {
+-        style->exclPrefixMax = 4;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlMalloc(style->exclPrefixMax *
+-                                   sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
+-            xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
+-            return (-1);
+-        }
+-    }
+    /*
+     * orig can come from a namespace definition on a node which
+     * could be deleted later, for example in xsltParseTemplateContent.
+     * Store the string in stylesheet's dict to avoid use after free.
+     */
+    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+    if (value == NULL)
+        return(-1);
+
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+-- 
+2.49.0
+
--- a/SPECS/libxslt.spec
+++ b/SPECS/libxslt.spec
@ -1,7 +1,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
 Version:        1.1.34
-Release:        9%{?dist}.1
+Release:        9%{?dist}.2

 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@ -26,6 +26,8 @@ Patch4:         libxslt-1.1.34-tutorial2-dtd.patch
 Patch5:         libxslt-1.1.34-test-fuzz-build.patch
 # https://issues.redhat.com/browse/RHEL-83501
 Patch6:         libxslt-1.1.34-CVE-2025-24855.patch
+# https://issues.redhat.com/browse/RHEL-83515
+Patch7:         libxslt-1.1.34-CVE-2024-55549.patch

 %description
 This C library allows to transform XML files into other XML files
@ -132,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
 %endif

 %changelog
+* Thu Apr 17 2025 David King <dking@redhat.com> - 1.1.34-9.2
+- Fix CVE-2024-55549 (RHEL-83515)
+
 * Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-9.1
 - Fix CVE-2025-24855 (RHEL-83501)