diff --git a/backport-CVE-2025-7424.patch b/backport-CVE-2025-7424.patch new file mode 100644 index 0000000000000000000000000000000000000000..62a34fa61d397ce697ecca77654258ba5d9a1af7 --- /dev/null +++ b/backport-CVE-2025-7424.patch @@ -0,0 +1,99 @@ +From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001 +From: David Kilzer +Date: Sat, 24 May 2025 15:06:42 -0700 +Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet + and source nodes + +* libxslt/functions.c: +(xsltDocumentFunctionLoadDocument): +- Implement fix suggested by Ivan Fratric. This copies the xmlDoc, + calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the + xmlDoc to tctxt->docList. +- Add error handling for functions that may return NULL. +* libxslt/transform.c: +- Remove static keyword so this can be called from + xsltDocumentFunctionLoadDocument(). +* libxslt/transformInternals.h: Add. +(xsltCleanupSourceDoc): Add declaration. + +Fixes #139. +--- + libxslt/functions.c | 16 +++++++++++++++- + libxslt/transform.c | 3 ++- + libxslt/transformInternals.h | 9 +++++++++ + 3 files changed, 26 insertions(+), 2 deletions(-) + create mode 100644 libxslt/transformInternals.h + +diff --git a/libxslt/functions.c b/libxslt/functions.c +index 72a58dc4..11ec039f 100644 +--- a/libxslt/functions.c ++++ b/libxslt/functions.c +@@ -34,6 +34,7 @@ + #include "numbersInternals.h" + #include "keys.h" + #include "documents.h" ++#include "transformInternals.h" + + #ifdef WITH_XSLT_DEBUG + #define WITH_XSLT_DEBUG_FUNCTION +@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, + /* + * This selects the stylesheet's doc itself. + */ +- doc = tctxt->style->doc; ++ doc = xmlCopyDoc(tctxt->style->doc, 1); ++ if (doc == NULL) { ++ xsltTransformError(tctxt, NULL, NULL, ++ "document() : failed to copy style doc\n"); ++ goto out_fragment; ++ } ++ xsltCleanupSourceDoc(doc); /* Remove psvi fields. */ ++ idoc = xsltNewDocument(tctxt, doc); ++ if (idoc == NULL) { ++ xsltTransformError(tctxt, NULL, NULL, ++ "document() : failed to create xsltDocument\n"); ++ xmlFreeDoc(doc); ++ goto out_fragment; ++ } + } else { + goto out_fragment; + } +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 54ef821b..38c2dce6 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -43,6 +43,7 @@ + #include "xsltlocale.h" + #include "pattern.h" + #include "transform.h" ++#include "transformInternals.h" + #include "variables.h" + #include "numbersInternals.h" + #include "namespaces.h" +@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt) + * + * Resets source node flags and ids stored in 'psvi' member. + */ +-static void ++void + xsltCleanupSourceDoc(xmlDocPtr doc) { + xmlNodePtr cur = (xmlNodePtr) doc; + void **psviPtr; +diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h +new file mode 100644 +index 00000000..d0f42823 +--- /dev/null ++++ b/libxslt/transformInternals.h +@@ -0,0 +1,9 @@ ++/* ++ * Summary: set of internal interfaces for the XSLT engine transformation part. ++ * ++ * Copy: See Copyright for the status of this software. ++ * ++ * Author: David Kilzer ++ */ ++ ++void xsltCleanupSourceDoc(xmlDocPtr doc); +-- +2.39.5 (Apple Git-154) + diff --git a/libxslt.spec b/libxslt.spec index e9f38b59b2063543fc36a8327ff4ec9e842d2e5e..c643d5df0b8e0fe59ceec801bb1266c184acb2ce 100644 --- a/libxslt.spec +++ b/libxslt.spec @@ -1,12 +1,13 @@ Name: libxslt Version: 1.1.43 -Release: 1 +Release: 2 Summary: XSLT Transformation Library License: MIT URL: https://gitlab.gnome.org/GNOME/libxslt Source0: https://download.gnome.org/sources/%{name}/1.1/%{name}-%{version}.tar.xz # PATCH-FIX-UPSTREAM bug-fix https://github.com/GNOME/libxslt/ Patch0: CVE-2015-9019.patch +Patch1: backport-CVE-2025-7424.patch BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27 cmake-rpm-macros Provides: xsltproc = %{version}-%{release} @@ -93,6 +94,9 @@ pushd $RPM_BUILD_ROOT/%{_includedir}/%{name}; touch -m --reference=xslt.h ../../ %{_mandir}/man3/* %changelog +* Mon Jul 21 2025 fuanan - 1.1.43-2 +- fix CVE-2025-7424 + * Thu Mar 13 2025 Funda Wang - 1.1.43-1 - update to 1.1.43