[kirkstone,2/2] libxslt: Fix for CVE-2025-24855

Message ID	20250320115706.179605-2-vanusuri@mvista.com
State	Accepted, archived
Commit	eced74ca3be7d6c47e7c50152a36e0b1e8eba74a
Delegated to:	Steve Sakoman
Headers	show Return-Path: <vanusuri@mvista.com> ip: 209.85.214.175, mailfrom: vanusuri@mvista.com) From: vanusuri@mvista.com To: openembedded-core@lists.openembedded.org Cc: Vijay Anusuri <vanusuri@mvista.com> Subject: [OE-core][kirkstone][PATCH 2/2] libxslt: Fix for CVE-2025-24855 Date: Thu, 20 Mar 2025 17:27:06 +0530 Message-Id: <20250320115706.179605-2-vanusuri@mvista.com> In-Reply-To: <20250320115706.179605-1-vanusuri@mvista.com> References: <20250320115706.179605-1-vanusuri@mvista.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,1/2] libxslt: Fix for CVE-2024-55549 \| expand [kirkstone,1/2] libxslt: Fix for CVE-2024-55549 [kirkstone,2/2] libxslt: Fix for CVE-2025-24855

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch new file mode 100644 index 0000000000..b8c2f5b0c8 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch @@ -0,0 +1,134 @@ +From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Tue, 17 Dec 2024 15:56:21 +0100 +Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node + +There are several places where the XPath context node isn't restored +after modifying it, leading to use-after-free errors with nested XPath +evaluations and dynamically allocated context nodes. + +Restore XPath context node in + +- xsltNumberFormatGetValue +- xsltEvalXPathPredicate +- xsltEvalXPathStringNs +- xsltComputeSortResultInternal + +In some places, the transformation context node was saved and restored +which shouldn't be necessary. + +Thanks to Ivan Fratric for the report! + +Fixes #128. + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2] +CVE: CVE-2025-24855 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libxslt/numbers.c | 5 +++++ + libxslt/templates.c | 9 ++++++--- + libxslt/xsltutils.c | 4 ++-- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 0e1fa136..741124d1 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + int amount = 0; + xmlBufferPtr pattern; + xmlXPathObjectPtr obj; ++ xmlNodePtr oldNode; + + pattern = xmlBufferCreate(); + if (pattern != NULL) { ++ oldNode = context->node; ++ + xmlBufferCCat(pattern, "number("); + xmlBufferCat(pattern, value); + xmlBufferCCat(pattern, ")"); +@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + xmlXPathFreeObject(obj); + } + xmlBufferFree(pattern); ++ ++ context->node = oldNode; + } + return amount; + } +diff --git a/libxslt/templates.c b/libxslt/templates.c +index f08b9bda..1c8d96e2 100644 +--- a/libxslt/templates.c ++++ b/libxslt/templates.c +@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + int oldNsNr; + xmlNsPtr *oldNamespaces; + xmlNodePtr oldInst; ++ xmlNodePtr oldNode; + int oldProximityPosition, oldContextSize; + + if ((ctxt == NULL) || (ctxt->inst == NULL)) { +@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + return(0); + } + ++ oldNode = ctxt->xpathCtxt->node; + oldContextSize = ctxt->xpathCtxt->contextSize; + oldProximityPosition = ctxt->xpathCtxt->proximityPosition; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + ctxt->state = XSLT_STATE_STOPPED; + ret = 0; + } +- ctxt->xpathCtxt->nsNr = oldNsNr; + ++ ctxt->xpathCtxt->node = oldNode; ++ ctxt->xpathCtxt->nsNr = oldNsNr; + ctxt->xpathCtxt->namespaces = oldNamespaces; + ctxt->inst = oldInst; + ctxt->xpathCtxt->contextSize = oldContextSize; +@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + } + + oldInst = ctxt->inst; +- oldNode = ctxt->node; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + "xsltEvalXPathString: returns %s\n", ret)); + #endif + ctxt->inst = oldInst; +- ctxt->node = oldNode; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c +index 0e9dc62f..a20da961 100644 +--- a/libxslt/xsltutils.c ++++ b/libxslt/xsltutils.c +@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + return(NULL); + } + +- oldNode = ctxt->node; + oldInst = ctxt->inst; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + results[i] = NULL; + } + } +- ctxt->node = oldNode; + ctxt->inst = oldInst; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +-- +GitLab + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 1f0d845421..3df372b267 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb @@ -15,6 +15,7 @@ DEPENDS = "libxml2" SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \ file://CVE-2024-55549.patch \ + file://CVE-2025-24855.patch \ " SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"

[kirkstone,2/2] libxslt: Fix for CVE-2025-24855

Commit Message

Patch