6 changed files with 718 additions and 1 deletions
--- a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
@ -0,0 +1,120 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c   |  9 +++++----
+ libxslt/transform.c |  9 +++++----
+ libxslt/xslt.c      |  9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
+++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
+-	if (res == 0) {
+-	    xsltTransformError(ctxt, NULL, NULL,
+-		 "xsltLoadDocument: read rights for %s denied\n",
+-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(ctxt, NULL, NULL,
+                     "xsltLoadDocument: read rights for %s denied\n",
+                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, URI);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltLoadStyleDocument: read rights for %s denied\n",
+-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltLoadStyleDocument: read rights for %s denied\n",
+                                 URI);
+ 	    return(NULL);
+ 	}
+     }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
+++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ 	int secres;
+ 
+ 	secres = xsltCheckRead(sec, NULL, URI);
+-	if (secres == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsl:import: read rights for %s denied\n",
+-			     URI);
+	if (secres <= 0) {
+            if (secres == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsl:import: read rights for %s denied\n",
+                                 URI);
+ 	    goto error;
+ 	}
+     }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+      */
+     if (ctxt->sec != NULL) {
+ 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+-	if (ret == 0) {
+-	    xsltTransformError(ctxt, NULL, inst,
+-		 "xsltDocumentElem: write rights for %s denied\n",
+-			     filename);
+	if (ret <= 0) {
+            if (ret == 0)
+                xsltTransformError(ctxt, NULL, inst,
+                     "xsltDocumentElem: write rights for %s denied\n",
+                                 filename);
+ 	    xmlFree(URL);
+ 	    xmlFree(filename);
+ 	    return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ 	int res;
+ 
+ 	res = xsltCheckRead(sec, NULL, filename);
+-	if (res == 0) {
+-	    xsltTransformError(NULL, NULL, NULL,
+-		 "xsltParseStylesheetFile: read rights for %s denied\n",
+-			     filename);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltParseStylesheetFile: read rights for %s denied\n",
+                                 filename);
+ 	    return(NULL);
+ 	}
+     }
+-- 
+2.24.1
+
--- a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
@ -0,0 +1,30 @@
+From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: [PATCH] Fix dangling pointer in xsltCopyText
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd073..d7ab0b66 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ 	    if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ 		return NULL;
+ 	}
+
+	ctxt->lasttext = NULL;
+     } else {
+         /*
+ 	 * normal processing. keep counters to extend the text node
+-- 
+2.22.0
+
--- a/SOURCES/libxslt-1.1.32-CVE-2024-55549.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2024-55549.patch
@ -0,0 +1,103 @@
+From 5b3b3151e4af0f6c234c97e01e05cf6edc9eceab Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 21 Mar 2023 12:19:50 +0100
+Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush
+
+Found by OSS-Fuzz, see #84.
+---
+ libxslt/xslt.c | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 7a1ce011..6d4126a1 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+ {
+     int i;
+ 
+-    if (style->exclPrefixMax == 0) {
+-        style->exclPrefixMax = 4;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlMalloc(style->exclPrefixMax *
+-                                   sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
+-            xmlGenericError(xmlGenericErrorContext, "malloc failed !\n");
+-            return (-1);
+-        }
+-    }
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+ 	    return(-1);
+     }
+     if (style->exclPrefixNr >= style->exclPrefixMax) {
+-        style->exclPrefixMax *= 2;
+-        style->exclPrefixTab =
+-            (xmlChar * *)xmlRealloc(style->exclPrefixTab,
+-                                    style->exclPrefixMax *
+-                                    sizeof(style->exclPrefixTab[0]));
+-        if (style->exclPrefixTab == NULL) {
+        xmlChar **tmp;
+        size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4;
+
+        tmp = xmlRealloc(style->exclPrefixTab,
+                         max * sizeof(style->exclPrefixTab[0]));
+        if (tmp == NULL) {
+             xmlGenericError(xmlGenericErrorContext, "realloc failed !\n");
+             return (-1);
+         }
+        style->exclPrefixTab = tmp;
+        style->exclPrefixMax = max;
+     }
+     style->exclPrefixTab[style->exclPrefixNr] = value;
+     style->exclPrefix = value;
+-- 
+2.49.0
+
+
+From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 6d4126a1..11681a13 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
+    xmlChar *value;
+     int i;
+ 
+    /*
+     * orig can come from a namespace definition on a node which
+     * could be deleted later, for example in xsltParseTemplateContent.
+     * Store the string in stylesheet's dict to avoid use after free.
+     */
+    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+    if (value == NULL)
+        return(-1);
+
+     /* do not push duplicates */
+     for (i = 0;i < style->exclPrefixNr;i++) {
+         if (xmlStrEqual(style->exclPrefixTab[i], value))
+-- 
+2.49.0
+
--- a/SOURCES/libxslt-1.1.32-CVE-2025-24855.patch
+++ b/SOURCES/libxslt-1.1.32-CVE-2025-24855.patch
@ -0,0 +1,130 @@
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa136..741124d1 100644
+--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
+    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
+        oldNode = context->node;
+
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
+
+        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda..1c8d96e2 100644
+--- a/libxslt/templates.c
+++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
+    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
+    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
+    ctxt->xpathCtxt->node = oldNode;
+    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
+    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
+    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f..a20da961 100644
+--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
+    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
+    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+GitLab
+
--- a/SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch
+++ b/SOURCES/libxslt-1.1.32-unexpected-rvt-flag.patch
@ -0,0 +1,313 @@
+From 7d81bd62d5788a9e2931c20a3d0a6be7e703c608 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 23 Jul 2018 22:52:12 +0200
+Subject: [PATCH] Fix EXSLT functions returning RVTs from outer scopes
+
+The RVTs referenced from function results must not be blindly registered
+as local, as they might be part of variables from an outer scope. Remove
+LOCAL/VARIABLE distinction for RVTs. Don't register as local RVT
+unconditionally when reflagging as LOCAL. Instead, register function
+result RVTs from inner variables as local RVTs when they're released in
+xsltFreeStackElem. Keep local function result RVTs xsltReleaseLocalRVTs
+instead of reregistering.
+
+Closes: https://gitlab.gnome.org/GNOME/libxslt/issues/2
+
+Thanks to Daniel Mendler and Martin Gieseking for the reports.
+---
+ libexslt/functions.c      | 11 ++++++++++-
+ libxslt/transform.c       | 17 ++++++++++++++---
+ libxslt/variables.c       | 27 +++++++++++----------------
+ libxslt/variables.h       | 12 ++----------
+ tests/docs/bug-210.xml    |  1 +
+ tests/docs/bug-211.xml    |  1 +
+ tests/general/bug-210.out |  2 ++
+ tests/general/bug-210.xsl | 20 ++++++++++++++++++++
+ tests/general/bug-211.out |  2 ++
+ tests/general/bug-211.xsl | 26 ++++++++++++++++++++++++++
+ 10 files changed, 89 insertions(+), 30 deletions(-)
+ create mode 100644 tests/docs/bug-210.xml
+ create mode 100644 tests/docs/bug-211.xml
+ create mode 100644 tests/general/bug-210.out
+ create mode 100644 tests/general/bug-210.xsl
+ create mode 100644 tests/general/bug-211.out
+ create mode 100644 tests/general/bug-211.xsl
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 2b83ca34..b7b968f8 100644
+--- a/libexslt/functions.c
+++ b/libexslt/functions.c
+@@ -426,7 +426,15 @@ exsltFuncFunctionFunction (xmlXPathParserContextPtr ctxt, int nargs) {
+ 	}
+     }
+     /*
+-     * actual processing
+     * Actual processing. Note that contextVariable is set to NULL which
+     * means that RVTs returned from functions always end up as local RVTs,
+     * not as variable fragments if the function is called in the select
+     * expression of an xsl:variable. This is a hack that only works because
+     * xsltReleaseLocalRVTs isn't called after processing xsl:variable.
+     *
+     * It would probably be better to remove the fragile contextVariable
+     * logic and make xsltEvalVariable move the required RVTs into the
+     * variable manually.
+      */
+     fake = xmlNewDocNode(tctxt->output, NULL,
+ 			 (const xmlChar *)"fake", NULL);
+@@ -766,6 +774,7 @@ exsltFuncResultElem (xsltTransformContextPtr ctxt,
+ 	    return;
+ 	}
+         /* Mark as function result. */
+        xsltRegisterLocalRVT(ctxt, container);
+         container->psvi = XSLT_RVT_FUNC_RESULT;
+ 
+ 	oldInsert = ctxt->insert;
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 90d2731d..d7af31f1 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -2295,6 +2295,7 @@ static void
+ xsltReleaseLocalRVTs(xsltTransformContextPtr ctxt, xmlDocPtr base)
+ {
+     xmlDocPtr cur = ctxt->localRVT, tmp;
+    xmlDocPtr prev = NULL;
+ 
+     if (cur == base)
+         return;
+@@ -2308,16 +2309,26 @@ xsltReleaseLocalRVTs(xsltTransformContextPtr ctxt, xmlDocPtr base)
+             xsltReleaseRVT(ctxt, tmp);
+         } else if (tmp->psvi == XSLT_RVT_GLOBAL) {
+             xsltRegisterPersistRVT(ctxt, tmp);
+-        } else if (tmp->psvi != XSLT_RVT_FUNC_RESULT) {
+        } else if (tmp->psvi == XSLT_RVT_FUNC_RESULT) {
+            if (prev == NULL)
+                ctxt->localRVT = tmp;
+            else
+                prev->next = (xmlNodePtr) tmp;
+            tmp->prev = (xmlNodePtr) prev;
+            prev = tmp;
+        } else {
+             xmlGenericError(xmlGenericErrorContext,
+                     "xsltReleaseLocalRVTs: Unexpected RVT flag %p\n",
+                     tmp->psvi);
+         }
+     } while (cur != base);
+ 
+    if (prev == NULL)
+        ctxt->localRVT = base;
+    else
+        prev->next = (xmlNodePtr) base;
+     if (base != NULL)
+-        base->prev = NULL;
+-    ctxt->localRVT = base;
+        base->prev = (xmlNodePtr) prev;
+ }
+ 
+ /**
+diff --git a/libxslt/variables.c b/libxslt/variables.c
+index fe6f299c..8f88e573 100644
+--- a/libxslt/variables.c
+++ b/libxslt/variables.c
+@@ -123,7 +123,7 @@ xsltRegisterTmpRVT(xsltTransformContextPtr ctxt, xmlDocPtr RVT)
+ 	return(-1);
+ 
+     RVT->prev = NULL;
+-    RVT->psvi = XSLT_RVT_VARIABLE;
+    RVT->psvi = XSLT_RVT_LOCAL;
+ 
+     /*
+     * We'll restrict the lifetime of user-created fragments
+@@ -163,6 +163,7 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt,
+ 	return(-1);
+ 
+     RVT->prev = NULL;
+    RVT->psvi = XSLT_RVT_LOCAL;
+ 
+     /*
+     * When evaluating "select" expressions of xsl:variable
+@@ -173,7 +174,6 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt,
+     if ((ctxt->contextVariable != NULL) &&
+ 	(XSLT_TCTXT_VARIABLE(ctxt)->flags & XSLT_VAR_IN_SELECT))
+     {
+-        RVT->psvi = XSLT_RVT_VARIABLE;
+ 	RVT->next = (xmlNodePtr) XSLT_TCTXT_VARIABLE(ctxt)->fragment;
+ 	XSLT_TCTXT_VARIABLE(ctxt)->fragment = RVT;
+ 	return(0);
+@@ -183,7 +183,6 @@ xsltRegisterLocalRVT(xsltTransformContextPtr ctxt,
+     * If not reference by a returning instruction (like EXSLT's function),
+     * then this fragment will be freed, when the instruction exits.
+     */
+-    RVT->psvi = XSLT_RVT_LOCAL;
+     RVT->next = (xmlNodePtr) ctxt->localRVT;
+     if (ctxt->localRVT != NULL)
+ 	ctxt->localRVT->prev = (xmlNodePtr) RVT;
+@@ -314,14 +313,8 @@ xsltFlagRVTs(xsltTransformContextPtr ctxt, xmlXPathObjectPtr obj, void *val) {
+ #endif
+ 
+             if (val == XSLT_RVT_LOCAL) {
+-                if (doc->psvi != XSLT_RVT_FUNC_RESULT) {
+-		    xmlGenericError(xmlGenericErrorContext,
+-                            "xsltFlagRVTs: Invalid transition %p => LOCAL\n",
+-                            doc->psvi);
+-                    return(-1);
+-                }
+-
+-                xsltRegisterLocalRVT(ctxt, doc);
+                if (doc->psvi == XSLT_RVT_FUNC_RESULT)
+                    doc->psvi = XSLT_RVT_LOCAL;
+             } else if (val == XSLT_RVT_GLOBAL) {
+                 if (doc->psvi != XSLT_RVT_LOCAL) {
+ 		    xmlGenericError(xmlGenericErrorContext,
+@@ -585,10 +578,12 @@ xsltFreeStackElem(xsltStackElemPtr elem) {
+ 	    cur = elem->fragment;
+ 	    elem->fragment = (xmlDocPtr) cur->next;
+ 
+-            if (cur->psvi == XSLT_RVT_VARIABLE) {
+-		xsltReleaseRVT((xsltTransformContextPtr) elem->context,
+-		    cur);
+-            } else if (cur->psvi != XSLT_RVT_FUNC_RESULT) {
+            if (cur->psvi == XSLT_RVT_LOCAL) {
+		xsltReleaseRVT(elem->context, cur);
+            } else if (cur->psvi == XSLT_RVT_FUNC_RESULT) {
+                xsltRegisterLocalRVT(elem->context, cur);
+                cur->psvi = XSLT_RVT_FUNC_RESULT;
+            } else {
+                 xmlGenericError(xmlGenericErrorContext,
+                         "xsltFreeStackElem: Unexpected RVT flag %p\n",
+                         cur->psvi);
+@@ -992,7 +987,7 @@ xsltEvalVariable(xsltTransformContextPtr ctxt, xsltStackElemPtr variable,
+ 		* the Result Tree Fragment.
+ 		*/
+ 		variable->fragment = container;
+-                container->psvi = XSLT_RVT_VARIABLE;
+                container->psvi = XSLT_RVT_LOCAL;
+ 
+ 		oldOutput = ctxt->output;
+ 		oldInsert = ctxt->insert;
+diff --git a/libxslt/variables.h b/libxslt/variables.h
+index 24acf8d1..039288fb 100644
+--- a/libxslt/variables.h
+++ b/libxslt/variables.h
+@@ -45,14 +45,6 @@ extern "C" {
+  */
+ #define XSLT_RVT_LOCAL       ((void *)1)
+ 
+-/**
+- * XSLT_RVT_VARIABLE:
+- *
+- * RVT is part of a local variable and destroyed after the variable goes out
+- * of scope.
+- */
+-#define XSLT_RVT_VARIABLE    ((void *)2)
+-
+ /**
+  * XSLT_RVT_FUNC_RESULT:
+  *
+@@ -60,14 +52,14 @@ extern "C" {
+  * destroyed after exiting a template and will be reset to XSLT_RVT_LOCAL or
+  * XSLT_RVT_VARIABLE in the template that receives the return value.
+  */
+-#define XSLT_RVT_FUNC_RESULT ((void *)3)
+#define XSLT_RVT_FUNC_RESULT ((void *)2)
+ 
+ /**
+  * XSLT_RVT_GLOBAL:
+  *
+  * RVT is part of a global variable.
+  */
+-#define XSLT_RVT_GLOBAL      ((void *)4)
+#define XSLT_RVT_GLOBAL      ((void *)3)
+ 
+ /*
+  * Interfaces for the variable module.
+diff --git a/tests/docs/bug-210.xml b/tests/docs/bug-210.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
+++ b/tests/docs/bug-210.xml
+@@ -0,0 +1 @@
+<doc/>
+diff --git a/tests/docs/bug-211.xml b/tests/docs/bug-211.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
+++ b/tests/docs/bug-211.xml
+@@ -0,0 +1 @@
+<doc/>
+diff --git a/tests/general/bug-210.out b/tests/general/bug-210.out
+new file mode 100644
+index 00000000..445906d6
+--- /dev/null
+++ b/tests/general/bug-210.out
+@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<var>value</var>
+diff --git a/tests/general/bug-210.xsl b/tests/general/bug-210.xsl
+new file mode 100644
+index 00000000..1915171d
+--- /dev/null
+++ b/tests/general/bug-210.xsl
+@@ -0,0 +1,20 @@
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:exsl="http://exslt.org/common"
+    xmlns:func="http://exslt.org/functions"
+    xmlns:my="my-namespace"
+    extension-element-prefixes="exsl func">
+
+<xsl:template match="/">
+    <xsl:variable name="var">
+        <var>value</var>
+    </xsl:variable>
+    <xsl:copy-of select="my:func($var)"/>
+</xsl:template>
+
+<func:function name="my:func">
+    <xsl:param name="var"/>
+    <func:result select="$var"/>
+</func:function>
+
+</xsl:stylesheet>
+diff --git a/tests/general/bug-211.out b/tests/general/bug-211.out
+new file mode 100644
+index 00000000..7b3cf11c
+--- /dev/null
+++ b/tests/general/bug-211.out
+@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+__
+diff --git a/tests/general/bug-211.xsl b/tests/general/bug-211.xsl
+new file mode 100644
+index 00000000..557f5fb3
+--- /dev/null
+++ b/tests/general/bug-211.xsl
+@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xsl:stylesheet version="1.0"
+                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns:str="http://exslt.org/strings"
+                xmlns:fn="http://exslt.org/functions"
+                xmlns:adoc="http://asciidoc.org/"
+                extension-element-prefixes="fn">
+
+  <fn:function name="adoc:sanitize">
+    <xsl:param name="id"/>
+    <xsl:variable name="tmp" select="str:replace($id, '__', '_')"/>
+    <xsl:choose>
+      <xsl:when test="contains($tmp, '__')">
+        <fn:result select="adoc:sanitize($tmp)"/>
+      </xsl:when>
+      <xsl:otherwise>
+        <fn:result select="$id"/>
+      </xsl:otherwise>
+    </xsl:choose>
+  </fn:function>
+
+  <xsl:template match="*">
+    <xsl:value-of select="adoc:sanitize('________')"/>
+  </xsl:template>
+
+</xsl:stylesheet>
+-- 
+GitLab
+
--- a/SPECS/libxslt.spec
+++ b/SPECS/libxslt.spec
@ -8,7 +8,7 @@
 Name:           libxslt
 Summary:        Library providing the Gnome XSLT engine
 Version:        1.1.32
-Release:        4%{?dist}
+Release:        6.1%{?dist}

 License:        MIT
 URL:            http://xmlsoft.org/XSLT
@ -27,6 +27,16 @@ Patch0:         multilib.patch
 Patch1:         libxslt-1.1.26-utf8-docs.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1765632
 Patch2:         multilib2.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1775517
+Patch3:         libxslt-1.1.32-CVE-2019-18197.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1715732
+Patch4:         libxslt-1.1.32-CVE-2019-11068.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1860467
+Patch5:         libxslt-1.1.32-unexpected-rvt-flag.patch
+# https://issues.redhat.com/browse/RHEL-83506
+Patch6:         libxslt-1.1.32-CVE-2024-55549.patch
+# https://issues.redhat.com/browse/RHEL-83492
+Patch7:         libxslt-1.1.32-CVE-2025-24855.patch

 %description
 This C library allows to transform XML files into other XML files
@ -131,6 +141,17 @@ rm -vrf %{buildroot}%{_docdir}
 %endif # with python2

 %changelog
+* Fri Apr 04 2025 David King <dking@redhat.com> - 1.1.32-6.1
+- Fix CVE-2024-55549 (RHEL-83506)
+- Fix CVE-2025-24855 (RHEL-83492)
+
+* Mon Aug 24 2020 David King <dking@redhat.com> - 1.1.32-6
+- Fix unexpected RVT flag error (#1860467)
+
+* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-5
+- Fix CVE-2019-18197 (#1775517)
+- Fix CVE-2019-11068 (#1715732)
+
 * Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-4
 - Fix multilib issues with devel subpackage (#1765632)