diff --git a/f165525fe744e6fe3b377b480d6cc5f9c546d360.patch b/f165525fe744e6fe3b377b480d6cc5f9c546d360.patch new file mode 100644 index 0000000000000000000000000000000000000000..015550e9e2816e1b00c4cdce561f9904b5835e12 --- /dev/null +++ b/f165525fe744e6fe3b377b480d6cc5f9c546d360.patch @@ -0,0 +1,887 @@ +From f165525fe744e6fe3b377b480d6cc5f9c546d360 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sun, 20 Sep 2020 16:59:23 +0200 +Subject: [PATCH] Recreate xsltproc man page with old Docbook stylesheet URL + +Fixes #31. +--- + doc/xsltproc.1 | 627 ++++++++++++----------------------------------- + doc/xsltproc.xml | 2 +- + 2 files changed, 161 insertions(+), 468 deletions(-) + +diff --git a/doc/xsltproc.1 b/doc/xsltproc.1 +index 7393b6db..bbf4098f 100644 +--- a/doc/xsltproc.1 ++++ b/doc/xsltproc.1 +@@ -1,7 +1,7 @@ + '\" t + .\" Title: xsltproc + .\" Author: John Fleck +-.\" Generator: DocBook XSL Stylesheets vsnapshot ++.\" Generator: DocBook XSL Stylesheets v1.79.1 + .\" Date: $Date$ + .\" Manual: xsltproc Manual + .\" Source: libxslt +@@ -27,72 +27,13 @@ + .\" ----------------------------------------------------------------- + .\" * MAIN CONTENT STARTS HERE * + .\" ----------------------------------------------------------------- +- +- +- +- +- + .SH "NAME" + xsltproc \- command line XSLT processor +- + .SH "SYNOPSIS" +- +- .HP \w'\fBxsltproc\fR\ 'u +- +- \fBxsltproc\fR +- [ +- [ +- | \fB\-V\fR +- | \fB\-\-version\fR +- ] +- [ +- | \fB\-v\fR +- | \fB\-\-verbose\fR +- ] +- [ +- { +- | \fB\-o\fR +- | \fB\-\-output\fR +- } +- { +- | \fIFILE\fR +- | \fIDIRECTORY\fR +- } +- ] +- | \fB\-\-timing\fR +- | \fB\-\-repeat\fR +- | \fB\-\-debug\fR +- | \fB\-\-novalid\fR +- | \fB\-\-noout\fR +- | \fB\-\-maxdepth\ \fR\fB\fIVALUE\fR\fR +- | \fB\-\-html\fR +- | \fB\-\-encoding\ \fR\fB\fIENCODING\fR\fR\fB\ \fR +- | \fB\-\-param\ \fR\fB\fIPARAMNAME\fR\fR\fB\ \fR\fB\fIPARAMVALUE\fR\fR\fB\ \fR +- | \fB\-\-stringparam\ \fR\fB\fIPARAMNAME\fR\fR\fB\ \fR\fB\fIPARAMVALUE\fR\fR\fB\ \fR +- | \fB\-\-nonet\fR +- | \fB\-\-path\ "\fR\fB\fIPATH(S)\fR\fR\fB"\fR +- | \fB\-\-load\-trace\fR +- | \fB\-\-catalogs\fR +- | \fB\-\-xinclude\fR +- | [\ |\ \fB\-\-profile\fR\ |\ \fB\-\-norman\fR\ ] +- | \fB\-\-dumpextensions\fR +- | \fB\-\-nowrite\fR +- | \fB\-\-nomkdir\fR +- | \fB\-\-writesubtree\ \fR\fB\fIPATH\fR\fR +- | \fB\-\-nodtdattr\fR +- ] +- [\fISTYLESHEET\fR] +- { +- | \fIXML\-FILE\fR... +- | \- +- } +- +- +- ++.HP \w'\fBxsltproc\fR\ 'u ++\fBxsltproc\fR [[\fB\-V\fR | \fB\-\-version\fR] [\fB\-v\fR | \fB\-\-verbose\fR] [{\fB\-o\fR | \fB\-\-output\fR} {\fIFILE\fR | \fIDIRECTORY\fR}] | \fB\-\-timing\fR | \fB\-\-repeat\fR | \fB\-\-debug\fR | \fB\-\-novalid\fR | \fB\-\-noout\fR | \fB\-\-maxdepth\ \fR\fB\fIVALUE\fR\fR | \fB\-\-maxvars\ \fR\fB\fIVALUE\fR\fR | \fB\-\-maxparserdepth\ \fR\fB\fIVALUE\fR\fR | \fB\-\-huge\fR | \fB\-\-seed\-rand\ \fR\fB\fIVALUE\fR\fR | \fB\-\-html\fR | \fB\-\-encoding\ \fR\fB\fIENCODING\fR\fR\fB\ \fR | \fB\-\-param\ \fR\fB\fIPARAMNAME\fR\fR\fB\ \fR\fB\fIPARAMVALUE\fR\fR\fB\ \fR | \fB\-\-stringparam\ \fR\fB\fIPARAMNAME\fR\fR\fB\ \fR\fB\fIPARAMVALUE\fR\fR\fB\ \fR | \fB\-\-nonet\fR | \fB\-\-path\ "\fR\fB\fIPATH(S)\fR\fR\fB"\fR | \fB\-\-load\-trace\fR | \fB\-\-catalogs\fR | \fB\-\-xinclude\fR | \fB\-\-xincludestyle\fR | [\fB\-\-profile\fR\ |\ \fB\-\-norman\fR] | \fB\-\-dumpextensions\fR | \fB\-\-nowrite\fR | \fB\-\-nomkdir\fR | \fB\-\-writesubtree\ \fR\fB\fIPATH\fR\fR | \fB\-\-nodtdattr\fR] [\fISTYLESHEET\fR] {\fIXML\-FILE\fR... | \-} + .SH "DESCRIPTION" +- +- +- .PP ++.PP + \fBxsltproc\fR + is a command line tool for applying + XSLT +@@ -100,46 +41,32 @@ stylesheets to + XML + documents\&. It is part of + \fBlibxslt\fR(3), the XSLT C library for GNOME\&. While it was developed as part of the GNOME project, it can operate independently of the GNOME desktop\&. +- +- .PP ++.PP + \fBxsltproc\fR + is invoked from the command line with the name of the stylesheet to be used followed by the name of the file or files to which the stylesheet is to be applied\&. It will use the standard input if a filename provided is + \fB\-\fR + \&. +- +- .PP ++.PP + If a stylesheet is included in an + XML + document with a Stylesheet Processing Instruction, no stylesheet need to be named at the command line\&. + \fBxsltproc\fR + will automatically detect the included stylesheet and use it\&. +- +- .PP ++.PP + By default, output is to + stdout\&. You can specify a file for output using the + \fB\-o\fR + or + \fB\-\-output\fR + option\&. +- +- + .SH "OPTIONS" +- +- +- .PP ++.PP + \fBxsltproc\fR + accepts the following options (in alphabetical order): +- +- +- +- +- .PP ++.PP + \fB\-\-catalogs\fR + .RS 4 +- +- +- +- Use the ++Use the + SGML + catalog specified in + \fBSGML_CATALOG_FILES\fR +@@ -148,154 +75,101 @@ to resolve the location of external entities\&. By default, + looks for the catalog specified in + \fBXML_CATALOG_FILES\fR\&. If that is not specified, it uses + /etc/xml/catalog\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-debug\fR + .RS 4 +- +- +- +- Output an ++Output an + XML + tree of the transformed document for debugging purposes\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-dumpextensions\fR + .RS 4 +- +- +- +- Dumps the list of all registered extensions on ++Dumps the list of all registered extensions on + stdout\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-html\fR + .RS 4 +- +- +- +- The input document is an ++The input document is an + HTML + file\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-load\-trace\fR + .RS 4 +- +- +- +- Display all the documents loaded during the processing to ++Display all the documents loaded during the processing to + stderr\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-maxdepth \fR\fB\fIVALUE\fR\fR + .RS 4 +- +- +- +- Adjust the maximum depth of the template stack before ++Adjust the maximum depth of the template stack before + \fBlibxslt\fR(3) + concludes it is in an infinite loop\&. The default is 3000\&. +- +- +- .RE +- +- .PP ++.RE ++.PP ++\fB\-\-maxvars \fR\fB\fIVALUE\fR\fR ++.RS 4 ++Maximum number of variables\&. The default is 15000\&. ++.RE ++.PP ++\fB\-\-maxparserdepth \fR\fB\fIVALUE\fR\fR ++.RS 4 ++Maximum element nesting level of parsed XML documents\&. The default is 256\&. ++.RE ++.PP ++\fB\-\-huge\fR ++.RS 4 ++Relax hardcoded limits of the XML parser by setting the XML_PARSE_HUGE parser option\&. ++.RE ++.PP ++\fB\-\-seed\-rand \fR\fB\fIVALUE\fR\fR ++.RS 4 ++Initialize pseudo random number generator with specific seed\&. ++.RE ++.PP + \fB\-\-nodtdattr\fR + .RS 4 +- +- +- +- Do not apply default attributes from the document\*(Aqs ++Do not apply default attributes from the document\*(Aqs + DTD\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-nomkdir\fR + .RS 4 +- +- +- +- Refuses to create directories\&. +- +- +- .RE +- +- .PP ++Refuses to create directories\&. ++.RE ++.PP + \fB\-\-nonet\fR + .RS 4 +- +- +- +- Do not use the Internet to fetch ++Do not use the Internet to fetch + DTDs, entities or documents\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-noout\fR + .RS 4 +- +- +- +- Do not output the result\&. +- +- +- .RE +- +- .PP ++Do not output the result\&. ++.RE ++.PP + \fB\-\-novalid\fR + .RS 4 +- +- +- +- Skip loading the document\*(Aqs ++Skip loading the document\*(Aqs + DTD\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-nowrite\fR + .RS 4 +- +- +- +- Refuses to write to any file or resource\&. +- +- +- .RE +- +- .PP ++Refuses to write to any file or resource\&. ++.RE ++.PP + \fB\-o\fR or \fB\-\-output\fR \fIFILE\fR | \fIDIRECTORY\fR + .RS 4 +- +- +- +- Direct output to the given ++Direct output to the given + \fIFILE\fR\&. Using the option with a + \fIDIRECTORY\fR + directs the output files to the specified directory\&. This can be useful for multiple outputs (also known as "chunking") or manpage processing\&. +- +- .if n \{\ ++.if n \{\ + .sp + .\} + .RS 4 +@@ -307,14 +181,12 @@ directs the output files to the specified directory\&. This can be useful for mu + \fBImportant\fR + .ps -1 + .br +- +- The given directory ++The given directory + \fBmust\fR + already exist\&. +- +- .sp .5v ++.sp .5v + .RE +- .if n \{\ ++.if n \{\ + .sp + .\} + .RS 4 +@@ -326,8 +198,7 @@ already exist\&. + \fBNote\fR + .ps -1 + .br +- +- Make sure that ++Make sure that + \fIFILE\fR + and + \fIDIRECTORY\fR +@@ -338,82 +209,47 @@ as described in RFC 2396 and laters\&. This means, that e\&.g\&. + will maybe not work, but + \fB\-o directory/\fR + will\&. +- +- .sp .5v ++.sp .5v + .RE +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-encoding \fR\fB\fIENCODING\fR\fR + .RS 4 +- +- +- +- Allow to specify the encoding for the input\&. +- +- +- .RE +- .PP ++Allow to specify the encoding for the input\&. ++.RE ++.PP + \fB\-\-param \fR\fB\fIPARAMNAME\fR\fR\fB \fR\fB\fIPARAMVALUE\fR\fR + .RS 4 +- +- +- +- Pass a parameter of name ++Pass a parameter of name + \fIPARAMNAME\fR + and value + \fIPARAMVALUE\fR + to the stylesheet\&. You may pass multiple name/value pairs up to a maximum of 32\&. If the value being passed is a string, you can use + \fB\-\-stringparam\fR + instead, to avoid additional quote characters that appear in string expressions\&. Note: the XPath expression must be UTF\-8 encoded\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-path "\fR\fB\fIPATH(S)\fR\fR\fB"\fR + .RS 4 +- +- +- +- Use the (space\- or colon\-separated) list of filesystem paths specified by ++Use the (space\- or colon\-separated) list of filesystem paths specified by + \fIPATHS\fR + to load + DTDs, entities or documents\&. Enclose space\-separated lists by quotation marks\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-profile\fR or \fB\-\-norman\fR + .RS 4 +- +- +- +- Output profiling information detailing the amount of time spent in each part of the stylesheet\&. This is useful in optimizing stylesheet performance\&. +- +- +- .RE +- +- .PP ++Output profiling information detailing the amount of time spent in each part of the stylesheet\&. This is useful in optimizing stylesheet performance\&. ++.RE ++.PP + \fB\-\-repeat\fR + .RS 4 +- +- +- +- Run the transformation 20 times\&. Used for timing tests\&. +- +- +- .RE +- +- .PP ++Run the transformation 20 times\&. Used for timing tests\&. ++.RE ++.PP + \fB\-\-stringparam \fR\fB\fIPARAMNAME\fR\fR\fB \fR\fB\fIPARAMVALUE\fR\fR + .RS 4 +- +- +- +- Pass a parameter of name ++Pass a parameter of name + \fIPARAMNAME\fR + and value + \fIPARAMVALUE\fR +@@ -422,268 +258,136 @@ where + is a string rather than a node identifier\&. + \fBNote:\fR + The string must be UTF\-8 encoded\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-timing\fR + .RS 4 +- +- +- +- Display the time used for parsing the stylesheet, parsing the document and applying the stylesheet and saving the result\&. Displayed in milliseconds\&. +- +- +- .RE +- +- .PP ++Display the time used for parsing the stylesheet, parsing the document and applying the stylesheet and saving the result\&. Displayed in milliseconds\&. ++.RE ++.PP + \fB\-v\fR or \fB\-\-verbose\fR + .RS 4 +- +- +- +- Output each step taken by ++Output each step taken by + \fBxsltproc\fR + in processing the stylesheet and the document\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-V\fR or \fB\-\-version\fR + .RS 4 +- +- +- +- Show the version of ++Show the version of + \fBlibxml\fR(3) + and + \fBlibxslt\fR(3) + used\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-writesubtree \fR\fB\fIPATH\fR\fR + .RS 4 +- +- +- +- Allow file write only within the ++Allow file write only within the + \fIPATH\fR + subtree\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fB\-\-xinclude\fR + .RS 4 +- +- +- +- Process the input document using the XInclude specification\&. More details on this can be found in the XInclude specification: ++Process the input document using the XInclude specification\&. More details on this can be found in the XInclude specification: + \m[blue]\fB\%http://www.w3.org/TR/xinclude/\fR\m[] +- +- +- .RE +- +- +- ++.RE ++.PP ++\fB\-\-xincludestyle\fR ++.RS 4 ++Process the stylesheet with XInclude\&. ++.RE + .SH "ENVIRONMENT" +- +- +- +- +- +- .PP ++.PP + \fBSGML_CATALOG_FILES\fR + .RS 4 +- +- +- +- SGML ++SGML + catalog behavior can be changed by redirecting queries to the user\*(Aqs own set of catalogs\&. This can be done by setting the + \fBSGML_CATALOG_FILES\fR + environment variable to a list of catalogs\&. An empty one should deactivate loading the default + /etc/sgml/catalog + catalog\&. +- +- +- .RE +- +- .PP ++.RE ++.PP + \fBXML_CATALOG_FILES\fR + .RS 4 +- +- +- +- XML ++XML + catalog behavior can be changed by redirecting queries to the user\*(Aqs own set of catalogs\&. This can be done by setting the + \fBXML_CATALOG_FILES\fR + environment variable to a list of catalogs\&. An empty one should deactivate loading the default + /etc/xml/catalog + catalog\&. +- +- +- .RE +- +- +- ++.RE + .SH "DIAGNOSTICS" +- +- +- .PP ++.PP + \fBxsltproc\fR + return codes provide information that can be used when calling it from scripts\&. +- +- +- +- +- .PP ++.PP + \fB0\fR + .RS 4 +- +- +- +- No error (normal operation) +- +- +- .RE +- +- .PP ++No error (normal operation) ++.RE ++.PP + \fB1\fR + .RS 4 +- +- +- +- No argument +- +- +- .RE +- +- .PP ++No argument ++.RE ++.PP + \fB2\fR + .RS 4 +- +- +- +- Too many parameters +- +- +- .RE +- +- .PP ++Too many parameters ++.RE ++.PP + \fB3\fR + .RS 4 +- +- +- +- Unknown option +- +- +- .RE +- +- .PP ++Unknown option ++.RE ++.PP + \fB4\fR + .RS 4 +- +- +- +- Failed to parse the stylesheet +- +- +- .RE +- +- .PP ++Failed to parse the stylesheet ++.RE ++.PP + \fB5\fR + .RS 4 +- +- +- +- Error in the stylesheet +- +- +- .RE +- +- .PP ++Error in the stylesheet ++.RE ++.PP + \fB6\fR + .RS 4 +- +- +- +- Error in one of the documents +- +- +- .RE +- +- .PP ++Error in one of the documents ++.RE ++.PP + \fB7\fR + .RS 4 +- +- +- +- Unsupported xsl:output method +- +- +- .RE +- +- .PP ++Unsupported xsl:output method ++.RE ++.PP + \fB8\fR + .RS 4 +- +- +- +- String parameter contains both quote and double\-quotes +- +- +- .RE +- +- .PP ++String parameter contains both quote and double\-quotes ++.RE ++.PP + \fB9\fR + .RS 4 +- +- +- +- Internal processing error +- +- +- .RE +- +- .PP ++Internal processing error ++.RE ++.PP + \fB10\fR + .RS 4 +- +- +- +- Processing was stopped by a terminating message +- +- +- .RE +- +- .PP ++Processing was stopped by a terminating message ++.RE ++.PP + \fB11\fR + .RS 4 +- +- +- +- Could not write the result to the output file +- +- +- .RE +- +- +- ++Could not write the result to the output file ++.RE + .SH "SEE ALSO" +- +- +- .PP ++.PP + \fBlibxml\fR(3), + \fBlibxslt\fR(3) +- +- .PP ++.PP + More information can be found at + .sp + .RS 4 +@@ -694,12 +398,10 @@ More information can be found at + .sp -1 + .IP \(bu 2.3 + .\} +- +- \fBlibxml\fR(3) ++\fBlibxml\fR(3) + web page + \m[blue]\fB\%http://www.xmlsoft.org/\fR\m[] +- +- .RE ++.RE + .sp + .RS 4 + .ie n \{\ +@@ -709,24 +411,15 @@ web page + .sp -1 + .IP \(bu 2.3 + .\} +- +- W3C ++W3C + XSLT + page + \m[blue]\fB\%http://www.w3.org/TR/xslt\fR\m[] +- +- .RE ++.RE + .sp +- +- +- + .SH "AUTHOR" + .PP + \fBJohn Fleck\fR <\&jfleck@inkstain\&.net\&> +-.br +- +- +- + .RS 4 + Author. + .RE +diff --git a/doc/xsltproc.xml b/doc/xsltproc.xml +index 8b78693e..051cbc01 100644 +--- a/doc/xsltproc.xml ++++ b/doc/xsltproc.xml +@@ -1,6 +1,6 @@ + + ++ href="http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl"?> + +Date: Tue, 21 Mar 2023 12:19:50 +0100 +Subject: [PATCH 1/2] malloc-fail: Fix memory leak in exclPrefixPush + +Found by OSS-Fuzz, see #84. +--- + libxslt/xslt.c | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 7a1ce011..6d4126a1 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -157,31 +157,23 @@ exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) + { + int i; + +- if (style->exclPrefixMax == 0) { +- style->exclPrefixMax = 4; +- style->exclPrefixTab = +- (xmlChar * *)xmlMalloc(style->exclPrefixMax * +- sizeof(style->exclPrefixTab[0])); +- if (style->exclPrefixTab == NULL) { +- xmlGenericError(xmlGenericErrorContext, "malloc failed !\n"); +- return (-1); +- } +- } + /* do not push duplicates */ + for (i = 0;i < style->exclPrefixNr;i++) { + if (xmlStrEqual(style->exclPrefixTab[i], value)) + return(-1); + } + if (style->exclPrefixNr >= style->exclPrefixMax) { +- style->exclPrefixMax *= 2; +- style->exclPrefixTab = +- (xmlChar * *)xmlRealloc(style->exclPrefixTab, +- style->exclPrefixMax * +- sizeof(style->exclPrefixTab[0])); +- if (style->exclPrefixTab == NULL) { ++ xmlChar **tmp; ++ size_t max = style->exclPrefixMax ? style->exclPrefixMax * 2 : 4; ++ ++ tmp = xmlRealloc(style->exclPrefixTab, ++ max * sizeof(style->exclPrefixTab[0])); ++ if (tmp == NULL) { + xmlGenericError(xmlGenericErrorContext, "realloc failed !\n"); + return (-1); + } ++ style->exclPrefixTab = tmp; ++ style->exclPrefixMax = max; + } + style->exclPrefixTab[style->exclPrefixNr] = value; + style->exclPrefix = value; +-- +2.49.0 + + +From 43c2b70b12717940ff9141c3bc2dc7f3a49df2b5 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 5 Dec 2024 12:43:19 +0100 +Subject: [PATCH 2/2] [CVE-2024-55549] Fix UAF related to excluded namespaces + +Definitions of excluded namespaces could be deleted in +xsltParseTemplateContent. Store excluded namespace URIs in the +stylesheet's dictionary instead of referencing the namespace definition. + +Thanks to Ivan Fratric for the report! + +Fixes #127. +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 6d4126a1..11681a13 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style, + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { ++ xmlChar *value; + int i; + ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); ++ + /* do not push duplicates */ + for (i = 0;i < style->exclPrefixNr;i++) { + if (xmlStrEqual(style->exclPrefixTab[i], value)) +-- +2.49.0 + diff --git a/libxslt-1.1.34-CVE-2025-24855.patch b/libxslt-1.1.34-CVE-2025-24855.patch new file mode 100644 index 0000000000000000000000000000000000000000..4025672c3cc721fd941ce105ed241eb55d2d2607 --- /dev/null +++ b/libxslt-1.1.34-CVE-2025-24855.patch @@ -0,0 +1,130 @@ +From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 17 Dec 2024 15:56:21 +0100 +Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node + +There are several places where the XPath context node isn't restored +after modifying it, leading to use-after-free errors with nested XPath +evaluations and dynamically allocated context nodes. + +Restore XPath context node in + +- xsltNumberFormatGetValue +- xsltEvalXPathPredicate +- xsltEvalXPathStringNs +- xsltComputeSortResultInternal + +In some places, the transformation context node was saved and restored +which shouldn't be necessary. + +Thanks to Ivan Fratric for the report! + +Fixes #128. +--- + libxslt/numbers.c | 5 +++++ + libxslt/templates.c | 9 ++++++--- + libxslt/xsltutils.c | 4 ++-- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 0e1fa136..741124d1 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + int amount = 0; + xmlBufferPtr pattern; + xmlXPathObjectPtr obj; ++ xmlNodePtr oldNode; + + pattern = xmlBufferCreate(); + if (pattern != NULL) { ++ oldNode = context->node; ++ + xmlBufferCCat(pattern, "number("); + xmlBufferCat(pattern, value); + xmlBufferCCat(pattern, ")"); +@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + xmlXPathFreeObject(obj); + } + xmlBufferFree(pattern); ++ ++ context->node = oldNode; + } + return amount; + } +diff --git a/libxslt/templates.c b/libxslt/templates.c +index f08b9bda..1c8d96e2 100644 +--- a/libxslt/templates.c ++++ b/libxslt/templates.c +@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + int oldNsNr; + xmlNsPtr *oldNamespaces; + xmlNodePtr oldInst; ++ xmlNodePtr oldNode; + int oldProximityPosition, oldContextSize; + + if ((ctxt == NULL) || (ctxt->inst == NULL)) { +@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + return(0); + } + ++ oldNode = ctxt->xpathCtxt->node; + oldContextSize = ctxt->xpathCtxt->contextSize; + oldProximityPosition = ctxt->xpathCtxt->proximityPosition; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + ctxt->state = XSLT_STATE_STOPPED; + ret = 0; + } +- ctxt->xpathCtxt->nsNr = oldNsNr; + ++ ctxt->xpathCtxt->node = oldNode; ++ ctxt->xpathCtxt->nsNr = oldNsNr; + ctxt->xpathCtxt->namespaces = oldNamespaces; + ctxt->inst = oldInst; + ctxt->xpathCtxt->contextSize = oldContextSize; +@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + } + + oldInst = ctxt->inst; +- oldNode = ctxt->node; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + "xsltEvalXPathString: returns %s\n", ret)); + #endif + ctxt->inst = oldInst; +- ctxt->node = oldNode; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c +index 0e9dc62f..a20da961 100644 +--- a/libxslt/xsltutils.c ++++ b/libxslt/xsltutils.c +@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + return(NULL); + } + +- oldNode = ctxt->node; + oldInst = ctxt->inst; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + results[i] = NULL; + } + } +- ctxt->node = oldNode; + ctxt->inst = oldInst; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +-- +GitLab + diff --git a/libxslt-1.1.34-test-fuzz-build.patch b/libxslt-1.1.34-test-fuzz-build.patch new file mode 100644 index 0000000000000000000000000000000000000000..b2fa73f924da299d608d7453f830850bfc422568 --- /dev/null +++ b/libxslt-1.1.34-test-fuzz-build.patch @@ -0,0 +1,151 @@ +From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 17 Aug 2020 03:42:11 +0200 +Subject: [PATCH 1/3] Stop using maxParserDepth XPath limit + +This will be removed again from libxml2. +--- + tests/fuzz/fuzz.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c +index f502ca2c..75234ad6 100644 +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxParserDepth = 15; +- xpctxt->maxDepth = 100; ++ xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + + static void + xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxParserDepth = 15; +- ctxt->maxDepth = 100; ++ ctxt->maxDepth = 200; + ctxt->opLimit = 100000; + } + +-- +2.34.1 + + +From 824657768aea2cce9c23e72ba8085cb5e44350c7 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 17 Aug 2020 04:27:13 +0200 +Subject: [PATCH 2/3] Transfer XPath limits to XPtr context + +Expressions like document('doc.xml#xpointer(evil_expr)') ignored the +XPath limits. +--- + libxslt/functions.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index b350545a..975ea790 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -178,10 +178,22 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + goto out_fragment; + } + ++#if LIBXML_VERSION >= 20911 || \ ++ defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) ++ xptrctxt->opLimit = ctxt->context->opLimit; ++ xptrctxt->opCount = ctxt->context->opCount; ++ xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ ++ resObj = xmlXPtrEval(fragment, xptrctxt); ++ ++ ctxt->context->opCount = xptrctxt->opCount; ++#else + resObj = xmlXPtrEval(fragment, xptrctxt); +- xmlXPathFreeContext(xptrctxt); + #endif + ++ xmlXPathFreeContext(xptrctxt); ++#endif /* LIBXML_XPTR_ENABLED */ ++ + if (resObj == NULL) + goto out_fragment; + +-- +2.34.1 + + +From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Wed, 26 Aug 2020 00:34:38 +0200 +Subject: [PATCH 3/3] Don't set maxDepth in XPath contexts + +The maximum recursion depth is hardcoded in libxml2 now. +--- + libxslt/functions.c | 2 +- + tests/fuzz/fuzz.c | 11 ++--------- + 2 files changed, 3 insertions(+), 10 deletions(-) + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index 975ea790..7887dda7 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -182,7 +182,7 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI) + defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + xptrctxt->opLimit = ctxt->context->opLimit; + xptrctxt->opCount = ctxt->context->opCount; +- xptrctxt->maxDepth = ctxt->context->maxDepth - ctxt->context->depth; ++ xptrctxt->depth = ctxt->context->depth; + + resObj = xmlXPtrEval(fragment, xptrctxt); + +diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c +index 75234ad6..780c2d41 100644 +--- a/tests/fuzz/fuzz.c ++++ b/tests/fuzz/fuzz.c +@@ -183,7 +183,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + xpctxt = tctxt->xpathCtxt; + + /* Resource limits to avoid timeouts and call stack overflows */ +- xpctxt->maxDepth = 500; + xpctxt->opLimit = 500000; + + /* Test namespaces used in xpath.xml */ +@@ -314,12 +313,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p, + return 0; + } + +-static void +-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) { +- ctxt->maxDepth = 200; +- ctxt->opLimit = 100000; +-} +- + xmlChar * + xsltFuzzXslt(const char *data, size_t size) { + xmlDocPtr xsltDoc; +@@ -349,7 +342,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xmlFreeDoc(xsltDoc); + return NULL; + } +- xsltSetXPathResourceLimits(sheet->xpathCtxt); ++ sheet->xpathCtxt->opLimit = 100000; + sheet->xpathCtxt->opCount = 0; + if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) { + xsltFreeStylesheet(sheet); +@@ -361,7 +354,7 @@ xsltFuzzXslt(const char *data, size_t size) { + xsltSetCtxtSecurityPrefs(sec, ctxt); + ctxt->maxTemplateDepth = 100; + ctxt->opLimit = 20000; +- xsltSetXPathResourceLimits(ctxt->xpathCtxt); ++ ctxt->xpathCtxt->opLimit = 100000; + ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount; + + result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt); +-- +2.34.1 + diff --git a/libxslt-1.1.34-tutorial2-dtd.patch b/libxslt-1.1.34-tutorial2-dtd.patch new file mode 100644 index 0000000000000000000000000000000000000000..4a12a174e732f7168f66ba19790054236fac514b --- /dev/null +++ b/libxslt-1.1.34-tutorial2-dtd.patch @@ -0,0 +1,63 @@ +From 461af8b9ed05cae188b24db71949a9e7758693e7 Mon Sep 17 00:00:00 2001 +From: David King +Date: Thu, 27 Jan 2022 15:33:17 +0000 +Subject: [PATCH 1/2] Use DocBook URL for tutorial DTD + +--- + doc/tutorial2/libxslt_pipes.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/tutorial2/libxslt_pipes.xml b/doc/tutorial2/libxslt_pipes.xml +index 9a672a9b..2aaac95f 100644 +--- a/doc/tutorial2/libxslt_pipes.xml ++++ b/doc/tutorial2/libxslt_pipes.xml +@@ -1,6 +1,6 @@ + +- ++ + +
+ +-- +2.34.1 + + +From 634065b39285841eef7dab5bfb2a8ac71b0a5d05 Mon Sep 17 00:00:00 2001 +From: David King +Date: Fri, 28 Jan 2022 09:35:03 +0000 +Subject: [PATCH 2/2] Fix validity of tutorial XML + +Move the title element before articleinfo. + +https://tdg.docbook.org/tdg/4.5/article.html +--- + doc/tutorial2/libxslt_pipes.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/tutorial2/libxslt_pipes.xml b/doc/tutorial2/libxslt_pipes.xml +index 2aaac95f..f6fa0d64 100644 +--- a/doc/tutorial2/libxslt_pipes.xml ++++ b/doc/tutorial2/libxslt_pipes.xml +@@ -3,6 +3,8 @@ + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +
++libxslt: An Extended Tutorial ++ + + PanosLouridas + +@@ -34,8 +36,6 @@ + + + +-libxslt: An Extended Tutorial +- + Introduction + + The Extensible Stylesheet Language Transformations (XSLT) +-- +2.34.1 + diff --git a/libxslt-1.1.34.tar.gz b/libxslt-1.1.34.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..eaed24958866a93f08e254659ec53b34244eac77 Binary files /dev/null and b/libxslt-1.1.34.tar.gz differ diff --git a/libxslt.spec b/libxslt.spec index 2c84f13284402d2a72e59c030b6d325aaf7b2537..a2d62a38864babefb74819c2d24ea0caafd7f88d 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -1,12 +1,18 @@ -%define anolis_release 1 +%define anolis_release 2 Name: libxslt Summary: Library providing the Gnome XSLT engine -Version: 1.1.43 +Version: 1.1.43 Release: %{anolis_release}%{?dist} License: MIT URL: https://gitlab.gnome.org/GNOME/libxslt -Source0: https://download.gnome.org/sources/%{name}/1.1/%{name}-%{version}.tar.xz +Source0: ftp://xmlsoft.org/XSLT/libxslt-1.1.34.tar.gz +Patch1: f165525fe744e6fe3b377b480d6cc5f9c546d360.patch +Patch2: libxslt-1.1.34-test-fuzz-build.patch +Patch3: libxslt-1.1.34-CVE-2024-55549.patch +Patch4: multilib.patch +Patch5: libxslt-1.1.34-tutorial2-dtd.patch +Patch6: libxslt-1.1.34-CVE-2025-24855.patch Provides: xsltproc = %{version}-%{release} @@ -41,6 +47,9 @@ developing applications that use %{name}. Summary: Python 3 bindings for %{name} BuildRequires: python3-devel BuildRequires: python3-libxml2 +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool Requires: %{name} = %{version}-%{release} Requires: python3-libxml2 %{?python_provide:%python_provide python3-%{name}} @@ -115,6 +124,13 @@ rm -vrf %{buildroot}%{_docdir} %{abidir}/libxsltmod.dump %changelog +* Thu Sep 18 2025 wenyuzifang - 1.1.43-2 +- Ensure consistent man page formatting by using a stable DocBook stylesheet URL. +- Apply patch to enforce resource limits consistently and prevent denial-of-service via XPath expressions. +- Apply patch to fix memory leaks and prevent use-after-free vulnerabilities in libxslt. +- Ensure correct library path detection on 64-bit systems to avoid linking errors. +- Ensure documentation portability and validity by using standard DTD URLs and correct element ordering. +- Apply patch to prevent use-after-free crashes and enhance security during XPath evaluations. * Thu May 15 2025 wenxin - 1.1.43-1 - update to 1.1.43 @@ -133,4 +149,3 @@ rm -vrf %{buildroot}%{_docdir} * Thu Apr 07 2022 mgb01105731 - 1.1.35-1 - Init from upstream version 1.1.35 - diff --git a/multilib.patch b/multilib.patch new file mode 100644 index 0000000000000000000000000000000000000000..94715d24250d990db80c506b358e3339cd092538 --- /dev/null +++ b/multilib.patch @@ -0,0 +1,24 @@ +*** XSLT/xslt-config.in.orig 2006-06-06 17:32:23.000000000 +0200 +--- XSLT/xslt-config.in 2006-06-06 17:32:48.000000000 +0200 +*************** +*** 4,10 **** + exec_prefix=@exec_prefix@ + exec_prefix_set=no + includedir=@includedir@ +! libdir=@libdir@ + + usage() + { +--- 4,15 ---- + exec_prefix=@exec_prefix@ + exec_prefix_set=no + includedir=@includedir@ +! if [ "`ldd /bin/sh | grep lib64`" = "" ] +! then +! libdir=${exec_prefix}/lib +! else +! libdir=${exec_prefix}/lib64 +! fi + + usage() + {