Control: tags 1100565 + patch Control: tags 1100565 + pending Control: tags 1100566 + patch Control: tags 1100566 + pending
Dear maintainer, I've prepared an NMU for libxslt (versioned as 1.1.35-1.2) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. The 2-day delay is not really conforming to the NMU rules so if you want me to cancel let me know. My aim is to get the same changes into bookworm but ideally before first exposing it in unstable, so the short time. But I will happily adapt as you want me to. Regards, Salvatore
diff -Nru libxslt-1.1.35/debian/changelog libxslt-1.1.35/debian/changelog --- libxslt-1.1.35/debian/changelog 2024-07-09 13:56:17.000000000 +0200 +++ libxslt-1.1.35/debian/changelog 2025-03-15 14:03:26.000000000 +0100 @@ -1,3 +1,12 @@ +libxslt (1.1.35-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix UAF related to excluded namespaces (CVE-2024-55549) (Closes: #1100565) + * Fix use-after-free of XPath context node (CVE-2025-24855) + (Closes: #1100566) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 15 Mar 2025 14:03:26 +0100 + libxslt (1.1.35-1.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch --- libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch 2025-03-15 14:03:26.000000000 +0100 @@ -0,0 +1,43 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Thu, 5 Dec 2024 12:43:19 +0100 +Subject: [CVE-2024-55549] Fix UAF related to excluded namespaces +Origin: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515 +Bug-Debian: https://bugs.debian.org/1100565 +Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-55549 + +Definitions of excluded namespaces could be deleted in +xsltParseTemplateContent. Store excluded namespace URIs in the +stylesheet's dictionary instead of referencing the namespace definition. + +Thanks to Ivan Fratric for the report! + +Fixes #127. +--- + libxslt/xslt.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/libxslt/xslt.c ++++ b/libxslt/xslt.c +@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr + * in case of error + */ + static int +-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value) ++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig) + { ++ xmlChar *value; + int i; + ++ /* ++ * orig can come from a namespace definition on a node which ++ * could be deleted later, for example in xsltParseTemplateContent. ++ * Store the string in stylesheet's dict to avoid use after free. ++ */ ++ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1); ++ if (value == NULL) ++ return(-1); ++ + if (style->exclPrefixMax == 0) { + style->exclPrefixMax = 4; + style->exclPrefixTab = diff -Nru libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch --- libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch 2025-03-15 14:03:26.000000000 +0100 @@ -0,0 +1,133 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Tue, 17 Dec 2024 15:56:21 +0100 +Subject: [CVE-2025-24855] Fix use-after-free of XPath context node +Origin: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2 +Bug-Debian: https://bugs.debian.org/1100566 +Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-24855 + +There are several places where the XPath context node isn't restored +after modifying it, leading to use-after-free errors with nested XPath +evaluations and dynamically allocated context nodes. + +Restore XPath context node in + +- xsltNumberFormatGetValue +- xsltEvalXPathPredicate +- xsltEvalXPathStringNs +- xsltComputeSortResultInternal + +In some places, the transformation context node was saved and restored +which shouldn't be necessary. + +Thanks to Ivan Fratric for the report! + +Fixes #128. +--- + libxslt/numbers.c | 5 +++++ + libxslt/templates.c | 9 ++++++--- + libxslt/xsltutils.c | 4 ++-- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/libxslt/numbers.c b/libxslt/numbers.c +index 0e1fa1368413..741124d1a7cf 100644 +--- a/libxslt/numbers.c ++++ b/libxslt/numbers.c +@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + int amount = 0; + xmlBufferPtr pattern; + xmlXPathObjectPtr obj; ++ xmlNodePtr oldNode; + + pattern = xmlBufferCreate(); + if (pattern != NULL) { ++ oldNode = context->node; ++ + xmlBufferCCat(pattern, "number("); + xmlBufferCat(pattern, value); + xmlBufferCCat(pattern, ")"); +@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context, + xmlXPathFreeObject(obj); + } + xmlBufferFree(pattern); ++ ++ context->node = oldNode; + } + return amount; + } +diff --git a/libxslt/templates.c b/libxslt/templates.c +index f08b9bda418f..1c8d96e26e95 100644 +--- a/libxslt/templates.c ++++ b/libxslt/templates.c +@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + int oldNsNr; + xmlNsPtr *oldNamespaces; + xmlNodePtr oldInst; ++ xmlNodePtr oldNode; + int oldProximityPosition, oldContextSize; + + if ((ctxt == NULL) || (ctxt->inst == NULL)) { +@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + return(0); + } + ++ oldNode = ctxt->xpathCtxt->node; + oldContextSize = ctxt->xpathCtxt->contextSize; + oldProximityPosition = ctxt->xpathCtxt->proximityPosition; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + ctxt->state = XSLT_STATE_STOPPED; + ret = 0; + } +- ctxt->xpathCtxt->nsNr = oldNsNr; + ++ ctxt->xpathCtxt->node = oldNode; ++ ctxt->xpathCtxt->nsNr = oldNsNr; + ctxt->xpathCtxt->namespaces = oldNamespaces; + ctxt->inst = oldInst; + ctxt->xpathCtxt->contextSize = oldContextSize; +@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + } + + oldInst = ctxt->inst; +- oldNode = ctxt->node; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp, + "xsltEvalXPathString: returns %s\n", ret)); + #endif + ctxt->inst = oldInst; +- ctxt->node = oldNode; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c +index 0e9dc62f5fc3..a20da9618228 100644 +--- a/libxslt/xsltutils.c ++++ b/libxslt/xsltutils.c +@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + return(NULL); + } + +- oldNode = ctxt->node; + oldInst = ctxt->inst; ++ oldNode = ctxt->xpathCtxt->node; + oldPos = ctxt->xpathCtxt->proximityPosition; + oldSize = ctxt->xpathCtxt->contextSize; + oldNsNr = ctxt->xpathCtxt->nsNr; +@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort, + results[i] = NULL; + } + } +- ctxt->node = oldNode; + ctxt->inst = oldInst; ++ ctxt->xpathCtxt->node = oldNode; + ctxt->xpathCtxt->contextSize = oldSize; + ctxt->xpathCtxt->proximityPosition = oldPos; + ctxt->xpathCtxt->nsNr = oldNsNr; +-- +2.47.2 + diff -Nru libxslt-1.1.35/debian/patches/series libxslt-1.1.35/debian/patches/series --- libxslt-1.1.35/debian/patches/series 2024-07-09 13:56:17.000000000 +0200 +++ libxslt-1.1.35/debian/patches/series 2025-03-15 14:03:26.000000000 +0100 @@ -5,3 +5,5 @@ 0005-Drop-libdir-and-static-linking-information-from-xslt.patch 0010_missing_include.diff 0011_libgcrypt_pkgconfig.diff +0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch +0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch
