From b8d5ca2df887101c091581fdf575f79d026ea290 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 21 Apr 2025 02:26:52 +0000
Subject: [PATCH] import UBI libxslt-1.1.34-9.el9_5.2

---
 SOURCES/libxslt-1.1.34-CVE-2024-55549.patch | 55 +++++++++++++++++++++
 SPECS/libxslt.spec                          |  7 ++-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/libxslt-1.1.34-CVE-2024-55549.patch

diff --git a/SOURCES/libxslt-1.1.34-CVE-2024-55549.patch b/SOURCES/libxslt-1.1.34-CVE-2024-55549.patch
new file mode 100644
index 0000000..f8ea3d7
--- /dev/null
+++ b/SOURCES/libxslt-1.1.34-CVE-2024-55549.patch
@@ -0,0 +1,55 @@
+From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 7a1ce011..4f975cd2 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
+-    if (style->exclPrefixMax == 0) {
+-        style->exclPrefixMax = 4;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlMalloc(style->exclPrefixMax *
+-                                   sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
+-            xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
+-            return (-1);
+-        }
+-    }
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++        return(-1);
++
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+-- 
+2.49.0
+
diff --git a/SPECS/libxslt.spec b/SPECS/libxslt.spec
index fd71de7..18adeff 100644
--- a/SPECS/libxslt.spec
+++ b/SPECS/libxslt.spec
@@ -1,7 +1,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
 Version:        1.1.34
-Release:        9%{?dist}.1
+Release:        9%{?dist}.2
 
 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@@ -26,6 +26,8 @@ Patch4:         libxslt-1.1.34-tutorial2-dtd.patch
 Patch5:         libxslt-1.1.34-test-fuzz-build.patch
 # https://issues.redhat.com/browse/RHEL-83501
 Patch6:         libxslt-1.1.34-CVE-2025-24855.patch
+# https://issues.redhat.com/browse/RHEL-83515
+Patch7:         libxslt-1.1.34-CVE-2024-55549.patch
 
 %description
 This C library allows to transform XML files into other XML files
@@ -132,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
 %endif
 
 %changelog
+* Thu Apr 17 2025 David King <dking@redhat.com> - 1.1.34-9.2
+- Fix CVE-2024-55549 (RHEL-83515)
+
 * Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-9.1
 - Fix CVE-2025-24855 (RHEL-83501)