rpms/libxslt
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2024-55549 (RHEL-83514)

Browse Source 
Resolves: RHEL-83514
This commit is contained in:
David King 2025-04-02 19:06:45 +01:00
parent af568e2516
commit 8acc3c3400
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
libxslt-1.1.34-CVE-2024-55549.patch Normal file
View File

@ -0,0 +1,55 @@
From 24d51683da1e748acceb234cdb6f670fa9dade9e Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.
Thanks to Ivan Fratric for the report!
Fixes #127.
---
libxslt/xslt.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 7a1ce011..4f975cd2 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -153,20 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
* in case of error
*/
static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
{
+ xmlChar *value;
int i;
- if (style->exclPrefixMax == 0) {
- style->exclPrefixMax = 4;
- style->exclPrefixTab =
- (xmlChar * *)xmlMalloc(style->exclPrefixMax *
- sizeof(style->exclPrefixTab[0]));
- if (style->exclPrefixTab == NULL) {
- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
- return (-1);
- }
- }
+ /*
+ * orig can come from a namespace definition on a node which
+ * could be deleted later, for example in xsltParseTemplateContent.
+ * Store the string in stylesheet's dict to avoid use after free.
+ */
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+ if (value == NULL)
+ return(-1);
+
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))
--
2.49.0

7
libxslt.spec
View File

@ -1,7 +1,7 @@
Name: libxslt Name: libxslt
Summary: Library providing the Gnome XSLT engine Summary: Library providing the Gnome XSLT engine
Version: 1.1.34 Version: 1.1.34
Release: 10%{?dist} Release: 11%{?dist}
License: MIT License: MIT
URL: http://xmlsoft.org/XSLT URL: http://xmlsoft.org/XSLT
@ -26,6 +26,8 @@ Patch4: libxslt-1.1.34-tutorial2-dtd.patch
Patch5: libxslt-1.1.34-test-fuzz-build.patch Patch5: libxslt-1.1.34-test-fuzz-build.patch
# https://issues.redhat.com/browse/RHEL-83500 # https://issues.redhat.com/browse/RHEL-83500
Patch6: libxslt-1.1.34-CVE-2025-24855.patch Patch6: libxslt-1.1.34-CVE-2025-24855.patch
# https://issues.redhat.com/browse/RHEL-83514
Patch7: libxslt-1.1.34-CVE-2024-55549.patch
%description %description
This C library allows to transform XML files into other XML files This C library allows to transform XML files into other XML files
@ -132,6 +134,9 @@ rm -vrf %{buildroot}%{_docdir}
%endif %endif
%changelog %changelog
* Wed Apr 02 2025 David King <dking@redhat.com> - 1.1.34-11
- Fix CVE-2024-55549 (RHEL-83514)
* Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-10 * Thu Mar 20 2025 David King <dking@redhat.com> - 1.1.34-10
- Fix CVE-2025-24855 (RHEL-83500) - Fix CVE-2025-24855 (RHEL-83500)