rpms/libxslt
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Fix CVE-2024-55549 (RHEL-83503)

Browse Source 
Resolves: RHEL-83503
This commit is contained in:
David King 2025-04-04 09:13:10 +01:00
parent c184f96c17
commit bd7aac166c
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
libxslt-1.1.39-CVE-2024-55549.patch Normal file
View File

@ -0,0 +1,45 @@
From 7f24858ae0f26e610a5a9a6f2a216fa6469c52d1 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.
Thanks to Ivan Fratric for the report!
Fixes #127.
---
libxslt/xslt.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 39a700b0..9a081cd1 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr style,
* in case of error
*/
static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
{
+ xmlChar *value;
int i;
+ /*
+ * orig can come from a namespace definition on a node which
+ * could be deleted later, for example in xsltParseTemplateContent.
+ * Store the string in stylesheet's dict to avoid use after free.
+ */
+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+ if (value == NULL)
+ return(-1);
+
/* do not push duplicates */
for (i = 0;i < style->exclPrefixNr;i++) {
if (xmlStrEqual(style->exclPrefixTab[i], value))
--
2.49.0

7
libxslt.spec
View File

@ -1,7 +1,7 @@
Name: libxslt Name: libxslt
Summary: Library providing the Gnome XSLT engine Summary: Library providing the Gnome XSLT engine
Version: 1.1.39 Version: 1.1.39
Release: 6%{?dist} Release: 7%{?dist}
License: MIT License: MIT
URL: https://gitlab.gnome.org/GNOME/libxslt URL: https://gitlab.gnome.org/GNOME/libxslt
@ -21,6 +21,8 @@ BuildRequires: python3-devel
Patch0: multilib.patch Patch0: multilib.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1467435 # https://bugzilla.redhat.com/show_bug.cgi?id=1467435
Patch1: multilib2.patch Patch1: multilib2.patch
# https://issues.redhat.com/browse/RHEL-83503
Patch2: libxslt-1.1.39-CVE-2024-55549.patch
%description %description
This C library allows to transform XML files into other XML files This C library allows to transform XML files into other XML files
@ -134,6 +136,9 @@ rm -vrf %{buildroot}%{_docdir}
%endif %endif
%changelog %changelog
* Fri Apr 04 2025 David King <dking@redhat.com> - 1.1.39-7
- Fix CVE-2024-55549 (RHEL-83503)
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.1.39-6 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.1.39-6
- Bump release for October 2024 mass rebuild: - Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018 Resolves: RHEL-64018