SOURCES/libxslt-1.1.32-CVE-2024-55549.patch

@@ -0,0 +1,103 @@
+From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 21 Mar 2023 12:19:50 +0100
+Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush
+
+Found by OSS-Fuzz, see #84.
+---
+ libxslt/xslt.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 7a1ce011..6d4126a1 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+ {
+     int i;
+ 
+-    if (style->exclPrefixMax == 0) {
+-        style->exclPrefixMax = 4;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlMalloc(style->exclPrefixMax *
+-                                   sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
+-            xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
+-            return (-1);
+-        }
+-    }
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+ 	    return(-1);
+     }
+     if (style->exclPrefixNr >= style->exclPrefixMax) {
+-        style->exclPrefixMax *= 2;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlRealloc(style->exclPrefixTab,
+-                                    style->exclPrefixMax *
+-                                    sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
++        xmlChar **tmp;
++        size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4;
++
++        tmp = xmlRealloc(style->exclPrefixTab,
++                         max * sizeof(style->exclPrefixTab[0]));
++        if (tmp == NULL) {
+             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
+             return (-1);
+         }
++        style->exclPrefixTab = tmp;
++        style->exclPrefixMax = max;
+     }
+     style->exclPrefixTab[style->exclPrefixNr] = value;
+     style->exclPrefix = value;
+-- 
+2.49.0
+
+
+From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 6d4126a1..11681a13 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++        return(-1);
++
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+-- 
+2.49.0
+

SOURCES/libxslt-1.1.32-CVE-2025-24855.patch

@@ -0,0 +1,130 @@
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa136..741124d1 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
++    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
++        oldNode = context->node;
++
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
++
++        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda..1c8d96e2 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
++    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
++    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
++    ctxt->xpathCtxt->node = oldNode;
++    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f..a20da961 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+GitLab
+

SPECS/libxslt.spec

@@ -8,7 +8,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
 Version:        1.1.32
-Release:        6%{?dist}
+Release:        6.2%{?dist}
 
 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@@ -33,6 +33,12 @@ Patch3:         libxslt-1.1.32-CVE-2019-18197.patch
 Patch4:         libxslt-1.1.32-CVE-2019-11068.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1860467
 Patch5:         libxslt-1.1.32-unexpected-rvt-flag.patch
+# https://issues.redhat.com/browse/RHEL-83506
+Patch6:         libxslt-1.1.32-CVE-2024-55549.patch
+# https://issues.redhat.com/browse/RHEL-83492
+Patch7:         libxslt-1.1.32-CVE-2025-24855.patch
+# https://issues.redhat.com/browse/RHEL-89374
+Patch8:         libxslt-1.1.32-CVE-2023-40403.patch
 
 %description
 This C library allows to transform XML files into other XML files
@@ -137,6 +143,13 @@ rm -vrf %{buildroot}%{_docdir}
 %endif # with python2
 
 %changelog
+* Tue Jun 03 2025 David King <dking@redhat.com> - 1.1.32-6.2
+- Fix CVE-2023-40403 (aka 2022-4909) (RHEL-89374)
+
+* Fri Apr 04 2025 David King <dking@redhat.com> - 1.1.32-6.1
+- Fix CVE-2024-55549 (RHEL-83506)
+- Fix CVE-2025-24855 (RHEL-83492)
+
 * Mon Aug 24 2020 David King <dking@redhat.com> - 1.1.32-6
 - Fix unexpected RVT flag error (#1860467)