diff --git a/libxslt-1.1.32-CVE-2024-55549.patch b/libxslt-1.1.32-CVE-2024-55549.patch new file mode 100644 index 0000000..64c0b91 --- /dev/null +++ b/libxslt-1.1.32-CVE-2024-55549.patch @@ -0,0 +1,103 @@ +From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 21 Mar 2023 12:19:50 +0100 +Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush + +Found by OSS-Fuzz, see #84. +--- + libxslt/xslt.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 7a1ce011..6d4126a1 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) + { + int i; + +- if (style->exclPrefixMax == 0) { +- style->exclPrefixMax = 4; +- style->exclPrefixTab = +- (xmlChar * *)xmlMalloc(style->exclPrefixMax * +- sizeof(style->exclPrefixTab[0])); +- if (style->exclPrefixTab == NULL) { +- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n"); +- return (-1); +- } +- } + /* do not push duplicates */ + for (i = 0;i < style->exclPrefixNr;i++) { + if (xmlStrEqual(style->exclPrefixTab[i], value)) + return(-1); + } + if (style->exclPrefixNr >= style->exclPrefixMax) { +- style->exclPrefixMax *= 2; +- style->exclPrefixTab = +- (xmlChar * *)xmlRealloc(style->exclPrefixTab, +- style->exclPrefixMax * +- sizeof(style->exclPrefixTab[0])); +- if (style->exclPrefixTab == NULL) { ++ xmlChar **tmp; ++ size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4; ++ ++ tmp = xmlRealloc(style->exclPrefixTab, ++ max * sizeof(style->exclPrefixTab[0])); ++ if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); + return (-1); + } ++ style->exclPrefixTab = tmp; ++ style->exclPrefixMax = max; + } + style->exclPrefixTab[style->exclPrefixNr] = value; + style->exclPrefix = value; +-- +2.49.0 + + +From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 Dec 2024 12:43:19 +0100 +Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces + +Definitions of excluded namespaces could be deleted in +xsltParseTemplateContent. Store excluded namespace URIs in the +stylesheet's dictionary instead of referencing the namespace definition. + +Thanks to Ivan Fratric for the report! + +Fixes #127. +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 6d4126a1..11681a13 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style, + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { ++ xmlChar *value; + int i; + ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); ++ + /* do not push duplicates */ + for (i = 0;i < style->exclPrefixNr;i++) { + if (xmlStrEqual(style->exclPrefixTab[i], value)) +-- +2.49.0 + diff --git a/libxslt.spec b/libxslt.spec index d577505..8419549 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -8,7 +8,7 @@ Name: libxslt Summary: Library providing the Gnome XSLT engine Version: 1.1.32 -Release: 6%{?dist} +Release: 6.1%{?dist} License: MIT URL: http://xmlsoft.org/XSLT @@ -33,6 +33,8 @@ Patch3: libxslt-1.1.32-CVE-2019-18197.patch Patch4: libxslt-1.1.32-CVE-2019-11068.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1860467 Patch5: libxslt-1.1.32-unexpected-rvt-flag.patch +# https://issues.redhat.com/browse/RHEL-83506 +Patch6: libxslt-1.1.32-CVE-2024-55549.patch %description This C library allows to transform XML files into other XML files @@ -137,6 +139,9 @@ rm -vrf %{buildroot}%{_docdir} %endif # with python2 %changelog +* Fri Apr 04 2025 David King - 1.1.32-6.1 +- Fix CVE-2024-55549 (RHEL-83506) + * Mon Aug 24 2020 David King - 1.1.32-6 - Fix unexpected RVT flag error (#1860467)