From e9ec53375de45b9475d56a128ffd6d28a581d6ac Mon Sep 17 00:00:00 2001
From: fly_fzc <2385803914@qq.com>
Date: Wed, 3 Sep 2025 18:51:15 +0800
Subject: [PATCH] fix CVE-2025-9714

---
 ...recursion-in-EXSLT-dynamic-functions.patch | 104 ++++++++++++++++++
 libxslt.spec                                  |   6 +-
 2 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-9714-Test-recursion-in-EXSLT-dynamic-functions.patch

diff --git a/backport-CVE-2025-9714-Test-recursion-in-EXSLT-dynamic-functions.patch b/backport-CVE-2025-9714-Test-recursion-in-EXSLT-dynamic-functions.patch
new file mode 100644
index 0000000..1ec412a
--- /dev/null
+++ b/backport-CVE-2025-9714-Test-recursion-in-EXSLT-dynamic-functions.patch
@@ -0,0 +1,104 @@
+From b7994c3b7ab83b502f4298ab4abb10fb183f7ed4 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 28 Jul 2022 20:58:02 +0200
+Subject: [PATCH] Test recursion in EXSLT dynamic functions
+
+This was fixed in libxml2 here:
+
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21
+
+Found by OSS-Fuzz.
+---
+ tests/exslt/dynamic/Makefile.am   | 10 ++++++++--
+ tests/exslt/dynamic/recursion.err |  7 +++++++
+ tests/exslt/dynamic/recursion.out |  2 ++
+ tests/exslt/dynamic/recursion.xml |  4 ++++
+ tests/exslt/dynamic/recursion.xsl | 21 +++++++++++++++++++++
+ 5 files changed, 42 insertions(+), 2 deletions(-)
+ create mode 100644 tests/exslt/dynamic/recursion.err
+ create mode 100644 tests/exslt/dynamic/recursion.out
+ create mode 100644 tests/exslt/dynamic/recursion.xml
+ create mode 100644 tests/exslt/dynamic/recursion.xsl
+
+diff --git a/tests/exslt/dynamic/Makefile.am b/tests/exslt/dynamic/Makefile.am
+index 84ebb5f8..0100dc9f 100644
+--- a/tests/exslt/dynamic/Makefile.am
++++ b/tests/exslt/dynamic/Makefile.am
+@@ -3,8 +3,14 @@
+ $(top_builddir)/xsltproc/xsltproc:
+ 	@(cd ../../../xsltproc ; $(MAKE) xsltproc)
+ 
+-EXTRA_DIST = 							\
+-  dynmap.out     dynmap.xml     dynmap.xsl
++EXTRA_DIST = \
++    dynmap.out \
++    dynmap.xml \
++    dynmap.xsl \
++    recursion.err \
++    recursion.out \
++    recursion.xml \
++    recursion.xsl
+ 
+ CLEANFILES = .memdump
+ 
+diff --git a/tests/exslt/dynamic/recursion.err b/tests/exslt/dynamic/recursion.err
+new file mode 100644
+index 00000000..02fdd564
+--- /dev/null
++++ b/tests/exslt/dynamic/recursion.err
+@@ -0,0 +1,7 @@
++XPath error : Recursion limit exceeded
++dyn:evaluate(.)
++             ^
++dyn:evaluate() : unable to evaluate expression 'dyn:evaluate(.)'
++XPath error : Recursion limit exceeded
++dyn:map(., .)
++        ^
+diff --git a/tests/exslt/dynamic/recursion.out b/tests/exslt/dynamic/recursion.out
+new file mode 100644
+index 00000000..e829790a
+--- /dev/null
++++ b/tests/exslt/dynamic/recursion.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++<result/>
+diff --git a/tests/exslt/dynamic/recursion.xml b/tests/exslt/dynamic/recursion.xml
+new file mode 100644
+index 00000000..5deb806b
+--- /dev/null
++++ b/tests/exslt/dynamic/recursion.xml
+@@ -0,0 +1,4 @@
++<doc>
++    <eval>dyn:evaluate(.)</eval>
++    <map>dyn:map(., .)</map>
++</doc>
+diff --git a/tests/exslt/dynamic/recursion.xsl b/tests/exslt/dynamic/recursion.xsl
+new file mode 100644
+index 00000000..55bd8dc9
+--- /dev/null
++++ b/tests/exslt/dynamic/recursion.xsl
+@@ -0,0 +1,21 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
++ xmlns:dyn="http://exslt.org/dynamic"
++ exclude-result-prefixes="dyn"
++>
++
++<xsl:template match="/doc">
++  <result>
++    <xsl:apply-templates select="*"/>
++  </result>
++</xsl:template>
++
++<xsl:template match="eval">
++  <xsl:value-of select="dyn:evaluate(.)"/>
++</xsl:template>
++
++<xsl:template match="map">
++  <xsl:value-of select="dyn:map(., .)"/>
++</xsl:template>
++
++</xsl:stylesheet>
++
+-- 
+2.33.0
+
diff --git a/libxslt.spec b/libxslt.spec
index 1bedfb5..84ed105 100644
--- a/libxslt.spec
+++ b/libxslt.spec
@@ -1,6 +1,6 @@
 Name:     libxslt
 Version:  1.1.34
-Release:  9
+Release:  10
 Summary:  XSLT Transformation Library
 License:  MIT
 URL:      http://xmlsoft.org/libxslt/
@@ -20,6 +20,7 @@ Patch10: backport-Infrastructure-to-store-extra-data-in-source-nodes.patch
 Patch11: backport-Clean-up-attributes-in-source-doc.patch
 Patch12: backport-transform-Avoid-null-deref-on-documents-without-root.patch
 Patch13: backport-CVE-2025-7424.patch
+Patch14: backport-CVE-2025-9714-Test-recursion-in-EXSLT-dynamic-functions.patch
 
 BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27
 
@@ -109,6 +110,9 @@ pushd $RPM_BUILD_ROOT/%{_includedir}/%{name}; touch -m --reference=xslt.h ../../
 %doc python/tests/*.xsl
 
 %changelog
+* Wed Sep 3 2025 fuanan <fuanan3@h-partners.com> - 1.1.34-10
+- fix CVE-2025-9714
+
 * Thu Jul 31 2025 fuanan <fuanan3@h-partners.com> - 1.1.34-9
 - fix xsltCleanupSourceDoc function:
   Clean up attributes in source doc
-- 
Gitee