From 1c642fa1f7bb3fe3d84cbee28809a0b1962d2dbc Mon Sep 17 00:00:00 2001 From: zhuhongbo Date: Tue, 8 Apr 2025 10:00:14 +0800 Subject: [PATCH] fix cve CVE-2024-55549 CVE-2025-2485 --- 0001-fix-cve-CVE-2024-55549.patch | 37 +++++++++++++++ 0002-fix-cve-CVE-2025-24855.patch | 78 +++++++++++++++++++++++++++++++ libxslt.spec | 9 +++- 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 0001-fix-cve-CVE-2024-55549.patch create mode 100644 0002-fix-cve-CVE-2025-24855.patch diff --git a/0001-fix-cve-CVE-2024-55549.patch b/0001-fix-cve-CVE-2024-55549.patch new file mode 100644 index 0000000..3b80619 --- /dev/null +++ b/0001-fix-cve-CVE-2024-55549.patch @@ -0,0 +1,37 @@ +From 3a8bf19d5634319644b79c4eff5f4cb78f12508c Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 8 Apr 2025 09:53:48 +0800 +Subject: [PATCH] fix cve CVE-2024-55549 + +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/libxslt/xslt.c b/libxslt/xslt.c +index 952ac57..448ea9e 100644 +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -152,9 +152,19 @@ xsltParseContentError(xsltStylesheetPtr style, + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { + int i; ++ xmlChar *value; ++ ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); + + if (style->exclPrefixMax == 0) { + style->exclPrefixMax = 4; +-- +2.39.3 + diff --git a/0002-fix-cve-CVE-2025-24855.patch b/0002-fix-cve-CVE-2025-24855.patch new file mode 100644 index 0000000..05578ea --- /dev/null +++ b/0002-fix-cve-CVE-2025-24855.patch @@ -0,0 +1,78 @@ +From 5a1613e996901b301972385ac9147b75995a46fd Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 8 Apr 2025 11:05:41 +0800 +Subject: [PATCH] fix cve CVE-2025-24855 + +--- + libxslt/numbers.c | 3 +++ + libxslt/templates.c | 7 +++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 9cd1cf3..6c9beb6 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -681,9 +681,11 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + int amount = 0; + xmlBufferPtr pattern; + xmlXPathObjectPtr obj; ++ xmlNodePtr oldNode; + + pattern = xmlBufferCreate(); + if (pattern != NULL) { ++ oldNode = context->node; + xmlBufferCCat(pattern, "number("); + xmlBufferCat(pattern, value); + xmlBufferCCat(pattern, ")"); +@@ -696,6 +698,7 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + xmlXPathFreeObject(obj); + } + xmlBufferFree(pattern); ++ context->node = oldNode; + } + return amount; + } +diff --git a/libxslt/templates.c b/libxslt/templates.c +index 02193f7..e3b27be 100644 +--- a/libxslt/templates.c ++++ b/libxslt/templates.c +@@ -61,8 +61,10 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + int oldNsNr; + xmlNsPtr *oldNamespaces; + xmlNodePtr oldInst; ++ xmlNodePtr oldNode; + int oldProximityPosition, oldContextSize; + ++ oldNode = ctxt->xpathCtxt->node; + oldContextSize = ctxt->xpathCtxt->contextSize; + oldProximityPosition = ctxt->xpathCtxt->proximityPosition; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -90,6 +92,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + ctxt->state = XSLT_STATE_STOPPED; + ret = 0; + } ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->nsNr = oldNsNr; + + ctxt->xpathCtxt->namespaces = oldNamespaces; +@@ -125,7 +128,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + xmlNsPtr *oldNamespaces; + + oldInst = ctxt->inst; +- oldNode = ctxt->node; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -155,7 +158,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + "xsltEvalXPathString: returns %s\n", ret)); + #endif + ctxt->inst = oldInst; +- ctxt->node = oldNode; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +-- +2.39.3 + diff --git a/libxslt.spec b/libxslt.spec index deb579d..60ae1dd 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -2,7 +2,7 @@ Summary: Library providing the Gnome XSLT engine Name: libxslt Version: 1.1.28 -Release: 6%{anolis_release}%{?dist}%{?extra_release} +Release: 8%{anolis_release}%{?dist}%{?extra_release} License: MIT Group: Development/Libraries Source: ftp://xmlsoft.org/XSLT/libxslt-%{version}.tar.gz @@ -20,6 +20,8 @@ Patch1: libxslt-1.1.26-utf8-docs.patch Patch2: libxslt-1.1.28-CVE-2019-18197.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1715731 Patch3: libxslt-1.1.28-CVE-2019-11068.patch +Patch4: 0001-fix-cve-CVE-2024-55549.patch +Patch5: 0002-fix-cve-CVE-2025-24855.patch %description This C library allows to transform XML files into other XML files @@ -60,6 +62,8 @@ with XPath functions written in Python. %patch1 -p1 -b .utf8 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Now fix up the timestamps of patched docs files # ChangeLog needs to be retouched before gzip as well # since timestamp affects output @@ -129,6 +133,9 @@ make tests %doc python/tests/*.xsl %changelog +* Mon Apr 7 2025 zhuhongbo - 1.1.28-8.0.1 +- cve: fix cve CVE-2024-55549 CVE-2025-24855 + * Mon Oct 18 2021 Hang Zhao <1209176326@qq.com> - 1.1.28-6.0.1 - Replace doc logo with anolis.gif -- Gitee