2 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
new file mode 100644
index 0000000000..19702af6cb
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
@@ -0,0 +1,42 @@
+From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
+Date: Wed, 27 Aug 2025 14:28:40 +0300
+Subject: [PATCH] End function node ancestor search at document
+Avoids dereferencing a non-existent ->ns property on an
+XML_DOCUMENT_NODE pointer.
+Fixes #151.
+CVE: CVE-2025-11731
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3]
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ libexslt/functions.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 8d35a7ae..a54ee70c 100644
+--- a/libexslt/functions.c
+++ b/libexslt/functions.c
+@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+      * instanciation of a func:result element.
+      */
+     for (test = inst->parent; test != NULL; test = test->parent) {
+-       if (IS_XSLT_ELEM(test) &&
+-           IS_XSLT_NAME(test, "stylesheet")) {
+       if (/* Traversal has reached the top-level document without
+         * finding a func:function ancestor. */
+        (test != NULL && test->type == XML_DOCUMENT_NODE) ||
+        /* Traversal reached a stylesheet-namespace node,
+         * and has left the function namespace. */
+        (IS_XSLT_ELEM(test) &&
+         IS_XSLT_NAME(test, "stylesheet"))) {
+            xsltGenericError(xsltGenericErrorContext,
+                             "func:result element not a descendant "
+                             "of a func:function\n");
+-- 
+2.34.1
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index fc1fafbf19..4f86069d77 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libxslt/1.1/libxslt-${PV}.tar.xz \
           file://CVE-2023-40403-004.patch \
           file://CVE-2023-40403-005.patch \
           file://CVE-2025-7424.patch \
+           file://CVE-2025-11731.patch \
          "
 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch new file mode 100644 index 0000000000..19702af6cb --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
@@ -0,0 +1,42 @@
		1	From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
		3	Date: Wed, 27 Aug 2025 14:28:40 +0300
		4	Subject: [PATCH] End function node ancestor search at document
		5
		6	Avoids dereferencing a non-existent ->ns property on an
		7	XML_DOCUMENT_NODE pointer.
		8
		9	Fixes #151.
		10
		11	CVE: CVE-2025-11731
		12
		13	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3]
		14
		15	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
		16	---
		17	libexslt/functions.c \| 9 +++++++--
		18	1 file changed, 7 insertions(+), 2 deletions(-)
		19
		20	diff --git a/libexslt/functions.c b/libexslt/functions.c
		21	index 8d35a7ae..a54ee70c 100644
		22	--- a/libexslt/functions.c
		23	+++ b/libexslt/functions.c
		24	@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
		25	* instanciation of a func:result element.
		26	*/
		27	for (test = inst->parent; test != NULL; test = test->parent) {
		28	- if (IS_XSLT_ELEM(test) &&
		29	- IS_XSLT_NAME(test, "stylesheet")) {
		30	+ if (/* Traversal has reached the top-level document without
		31	+ * finding a func:function ancestor. */
		32	+ (test != NULL && test->type == XML_DOCUMENT_NODE) \|\|
		33	+ /* Traversal reached a stylesheet-namespace node,
		34	+ * and has left the function namespace. */
		35	+ (IS_XSLT_ELEM(test) &&
		36	+ IS_XSLT_NAME(test, "stylesheet"))) {
		37	xsltGenericError(xsltGenericErrorContext,
		38	"func:result element not a descendant "
		39	"of a func:function\n");
		40	--
		41	2.34.1
		42


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index fc1fafbf19..4f86069d77 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libxslt/1.1/libxslt-${PV}.tar.xz \
22	file://CVE-2023-40403-004.patch \	22	file://CVE-2023-40403-004.patch \
23	file://CVE-2023-40403-005.patch \	23	file://CVE-2023-40403-005.patch \
24	file://CVE-2025-7424.patch \	24	file://CVE-2025-7424.patch \
		25	file://CVE-2025-11731.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"	28	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"