libxslt: Fix for CVE-2024-55549

Upstream-Commit: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515 (From OE-Core rev: eae0c33539f302124544373b74bd6883467ff549) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-03-20 17:27:05 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-03-27 08:16:30 -0700
commit: 0490768a25fbc21e958d1c49670fc89ffaa677a0 (patch)
tree: c1a136c9a14967421adb171b9fc3cebca6278805
parent: 88aec329b88be3ff85102c2fb29f2f167599dab8 (diff)
download: poky-0490768a25fbc21e958d1c49670fc89ffaa677a0.tar.gz
2 files changed, 52 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
new file mode 100644
index 0000000000..88a17a4d0c
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
@@ -0,0 +1,49 @@
+From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+Thanks to Ivan Fratric for the report!
+Fixes #127.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515]
+CVE: CVE-2024-55549
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 69116f2..02c2e3a 100644
+--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
+    xmlChar *value;
+     int i;
+ 
+    /*
+     * orig can come from a namespace definition on a node which
+     * could be deleted later, for example in xsltParseTemplateContent.
+     * Store the string in stylesheet's dict to avoid use after free.
+     */
+    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+    if (value == NULL)
+       return(-1);
+
+     if (style->exclPrefixMax == 0) {
+         style->exclPrefixMax = 4;
+         style->exclPrefixTab =
+-- 
+2.34.1
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 2fd777766c..1f0d845421 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
-SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"
+SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
+           file://CVE-2024-55549.patch \
+          "
 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
author	Vijay Anusuri <vanusuri@mvista.com>	2025-03-20 17:27:05 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-03-27 08:16:30 -0700
commit	0490768a25fbc21e958d1c49670fc89ffaa677a0 (patch)
tree	c1a136c9a14967421adb171b9fc3cebca6278805
parent	88aec329b88be3ff85102c2fb29f2f167599dab8 (diff)
download	poky-0490768a25fbc21e958d1c49670fc89ffaa677a0.tar.gz

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch new file mode 100644 index 0000000000..88a17a4d0c --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
@@ -0,0 +1,49 @@
		1	From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Thu, 5 Dec 2024 12:43:19 +0100
		4	Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
		5
		6	Definitions of excluded namespaces could be deleted in
		7	xsltParseTemplateContent. Store excluded namespace URIs in the
		8	stylesheet's dictionary instead of referencing the namespace definition.
		9
		10	Thanks to Ivan Fratric for the report!
		11
		12	Fixes #127.
		13
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515]
		15	CVE: CVE-2024-55549
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	libxslt/xslt.c \| 12 +++++++++++-
		19	1 file changed, 11 insertions(+), 1 deletion(-)
		20
		21	diff --git a/libxslt/xslt.c b/libxslt/xslt.c
		22	index 69116f2..02c2e3a 100644
		23	--- a/libxslt/xslt.c
		24	+++ b/libxslt/xslt.c
		25	@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
		26	* in case of error
		27	*/
		28	static int
		29	-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
		30	+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
		31	{
		32	+ xmlChar *value;
		33	int i;
		34
		35	+ /*
		36	+ * orig can come from a namespace definition on a node which
		37	+ * could be deleted later, for example in xsltParseTemplateContent.
		38	+ * Store the string in stylesheet's dict to avoid use after free.
		39	+ */
		40	+ value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
		41	+ if (value == NULL)
		42	+ return(-1);
		43	+
		44	if (style->exclPrefixMax == 0) {
		45	style->exclPrefixMax = 4;
		46	style->exclPrefixTab =
		47	--
		48	2.34.1
		49


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 2fd777766c..1f0d845421 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
13	SECTION = "libs"	13	SECTION = "libs"
14	DEPENDS = "libxml2"	14	DEPENDS = "libxml2"
15		15
16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"	16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
		17	file://CVE-2024-55549.patch \
		18	"
17		19
18	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"	20	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
19		21