Fix CVE-2024-55549 (RHEL-83514)
Resolves: RHEL-83514
This commit is contained in:
David King
parent
af568e2516
commit
8acc3c3400
55
libxslt-1.1.34-CVE-2024-55549.patch
Normal file
55
libxslt-1.1.34-CVE-2024-55549.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
|
||||
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||
Date: Thu, 5 Dec 2024 12:43:19 +0100
|
||||
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
|
||||
|
||||
Definitions of excluded namespaces could be deleted in
|
||||
xsltParseTemplateContent. Store excluded namespace URIs in the
|
||||
stylesheet's dictionary instead of referencing the namespace definition.
|
||||
|
||||
Thanks to Ivan Fratric for the report!
|
||||
|
||||
Fixes #127.
|
||||
---
|
||||
libxslt/xslt.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
|
||||
index 7a1ce011..4f975cd2 100644
|
||||
--- a/libxslt/xslt.c
|
||||
+++ b/libxslt/xslt.c
|
||||
@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
|
||||
* in case of error
|
||||
*/
|
||||
static int
|
||||
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
|
||||
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
|
||||
{
|
||||
+ xmlChar *value;
|
||||
int i;
|
||||
|
||||
- if (style->exclPrefixMax == 0) {
|
||||
- style->exclPrefixMax = 4;
|
||||
- style->exclPrefixTab =
|
||||
- (xmlChar * *)xmlMalloc(style->exclPrefixMax *
|
||||
- sizeof(style->exclPrefixTab[0]));
|
||||
- if (style->exclPrefixTab == NULL) {
|
||||
- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
|
||||
- return (-1);
|
||||
- }
|
||||
- }
|
||||
+ /*
|
||||
+ * orig can come from a namespace definition on a node which
|
||||
+ * could be deleted later, for example in xsltParseTemplateContent.
|
||||
+ * Store the string in stylesheet's dict to avoid use after free.
|
||||
+ */
|
||||
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
|
||||
+ if (value == NULL)
|
||||
+ return(-1);
|
||||
+
|
||||
/* do not push duplicates */
|
||||
for (i = 0;i < style->exclPrefixNr;i++) {
|
||||
if (xmlStrEqual(style->exclPrefixTab[i], value))
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
Name: libxslt
|
||||
Summary: Library providing the Gnome XSLT engine
|
||||
Version: 1.1.34
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
|
||||
License: MIT
|
||||
URL: http://xmlsoft.org/XSLT
|
||||
@ -26,6 +26,8 @@ Patch4: libxslt-1.1.34-tutorial2-dtd.patch
|
||||
Patch5: libxslt-1.1.34-test-fuzz-build.patch
|
||||
# https://issues.redhat.com/browse/RHEL-83500
|
||||
Patch6: libxslt-1.1.34-CVE-2025-24855.patch
|
||||
# https://issues.redhat.com/browse/RHEL-83514
|
||||
Patch7: libxslt-1.1.34-CVE-2024-55549.patch
|
||||
|
||||
%description
|
||||
This C library allows to transform XML files into other XML files
|
||||
@ -132,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 02 2025 David King <dking@redhat.com> - 1.1.34-11
|
||||
- Fix CVE-2024-55549 (RHEL-83514)
|
||||
|
||||
* Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-10
|
||||
- Fix CVE-2025-24855 (RHEL-83500)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user