2 files changed, 135 insertions, 0 deletions
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch
new file mode 100644
index 0000000000..b8c2f5b0c8
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch
@@ -0,0 +1,134 @@
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+Restore XPath context node in
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+Thanks to Ivan Fratric for the report!
+Fixes #128.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2]
+CVE: CVE-2025-24855
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa136..741124d1 100644
+--- a/libxslt/numbers.c
+++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
+    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
+        oldNode = context->node;
+
+        xmlBufferCCat(pattern, "number(");
+        xmlBufferCat(pattern, value);
+        xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+            xmlXPathFreeObject(obj);
+        }
+        xmlBufferFree(pattern);
+
+        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda..1c8d96e2 100644
+--- a/libxslt/templates.c
+++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
+    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
+    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+        ctxt->state = XSLT_STATE_STOPPED;
+        ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
+    ctxt->xpathCtxt->node = oldNode;
+    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
+    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
+    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f..a20da961 100644
+--- a/libxslt/xsltutils.c
+++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+        return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
+    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+            results[i] = NULL;
+        }
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
+    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+GitLab
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 1f0d845421..3df372b267 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -15,6 +15,7 @@ DEPENDS = "libxml2"
 SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
           file://CVE-2024-55549.patch \
+           file://CVE-2025-24855.patch \
          "
 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch new file mode 100644 index 0000000000..b8c2f5b0c8 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch
@@ -0,0 +1,134 @@
		1	From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 17 Dec 2024 15:56:21 +0100
		4	Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
		5
		6	There are several places where the XPath context node isn't restored
		7	after modifying it, leading to use-after-free errors with nested XPath
		8	evaluations and dynamically allocated context nodes.
		9
		10	Restore XPath context node in
		11
		12	- xsltNumberFormatGetValue
		13	- xsltEvalXPathPredicate
		14	- xsltEvalXPathStringNs
		15	- xsltComputeSortResultInternal
		16
		17	In some places, the transformation context node was saved and restored
		18	which shouldn't be necessary.
		19
		20	Thanks to Ivan Fratric for the report!
		21
		22	Fixes #128.
		23
		24	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2]
		25	CVE: CVE-2025-24855
		26	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		27	---
		28	libxslt/numbers.c \| 5 +++++
		29	libxslt/templates.c \| 9 ++++++---
		30	libxslt/xsltutils.c \| 4 ++--
		31	3 files changed, 13 insertions(+), 5 deletions(-)
		32
		33	diff --git a/libxslt/numbers.c b/libxslt/numbers.c
		34	index 0e1fa136..741124d1 100644
		35	--- a/libxslt/numbers.c
		36	+++ b/libxslt/numbers.c
		37	@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
		38	int amount = 0;
		39	xmlBufferPtr pattern;
		40	xmlXPathObjectPtr obj;
		41	+ xmlNodePtr oldNode;
		42
		43	pattern = xmlBufferCreate();
		44	if (pattern != NULL) {
		45	+ oldNode = context->node;
		46	+
		47	xmlBufferCCat(pattern, "number(");
		48	xmlBufferCat(pattern, value);
		49	xmlBufferCCat(pattern, ")");
		50	@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
		51	xmlXPathFreeObject(obj);
		52	}
		53	xmlBufferFree(pattern);
		54	+
		55	+ context->node = oldNode;
		56	}
		57	return amount;
		58	}
		59	diff --git a/libxslt/templates.c b/libxslt/templates.c
		60	index f08b9bda..1c8d96e2 100644
		61	--- a/libxslt/templates.c
		62	+++ b/libxslt/templates.c
		63	@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
		64	int oldNsNr;
		65	xmlNsPtr *oldNamespaces;
		66	xmlNodePtr oldInst;
		67	+ xmlNodePtr oldNode;
		68	int oldProximityPosition, oldContextSize;
		69
		70	if ((ctxt == NULL) \|\| (ctxt->inst == NULL)) {
		71	@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
		72	return(0);
		73	}
		74
		75	+ oldNode = ctxt->xpathCtxt->node;
		76	oldContextSize = ctxt->xpathCtxt->contextSize;
		77	oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
		78	oldNsNr = ctxt->xpathCtxt->nsNr;
		79	@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
		80	ctxt->state = XSLT_STATE_STOPPED;
		81	ret = 0;
		82	}
		83	- ctxt->xpathCtxt->nsNr = oldNsNr;
		84
		85	+ ctxt->xpathCtxt->node = oldNode;
		86	+ ctxt->xpathCtxt->nsNr = oldNsNr;
		87	ctxt->xpathCtxt->namespaces = oldNamespaces;
		88	ctxt->inst = oldInst;
		89	ctxt->xpathCtxt->contextSize = oldContextSize;
		90	@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
		91	}
		92
		93	oldInst = ctxt->inst;
		94	- oldNode = ctxt->node;
		95	+ oldNode = ctxt->xpathCtxt->node;
		96	oldPos = ctxt->xpathCtxt->proximityPosition;
		97	oldSize = ctxt->xpathCtxt->contextSize;
		98	oldNsNr = ctxt->xpathCtxt->nsNr;
		99	@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
		100	"xsltEvalXPathString: returns %s\n", ret));
		101	#endif
		102	ctxt->inst = oldInst;
		103	- ctxt->node = oldNode;
		104	+ ctxt->xpathCtxt->node = oldNode;
		105	ctxt->xpathCtxt->contextSize = oldSize;
		106	ctxt->xpathCtxt->proximityPosition = oldPos;
		107	ctxt->xpathCtxt->nsNr = oldNsNr;
		108	diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
		109	index 0e9dc62f..a20da961 100644
		110	--- a/libxslt/xsltutils.c
		111	+++ b/libxslt/xsltutils.c
		112	@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
		113	return(NULL);
		114	}
		115
		116	- oldNode = ctxt->node;
		117	oldInst = ctxt->inst;
		118	+ oldNode = ctxt->xpathCtxt->node;
		119	oldPos = ctxt->xpathCtxt->proximityPosition;
		120	oldSize = ctxt->xpathCtxt->contextSize;
		121	oldNsNr = ctxt->xpathCtxt->nsNr;
		122	@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
		123	results[i] = NULL;
		124	}
		125	}
		126	- ctxt->node = oldNode;
		127	ctxt->inst = oldInst;
		128	+ ctxt->xpathCtxt->node = oldNode;
		129	ctxt->xpathCtxt->contextSize = oldSize;
		130	ctxt->xpathCtxt->proximityPosition = oldPos;
		131	ctxt->xpathCtxt->nsNr = oldNsNr;
		132	--
		133	GitLab
		134


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb index 1f0d845421..3df372b267 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -15,6 +15,7 @@ DEPENDS = "libxml2"
15		15
16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \	16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
17	file://CVE-2024-55549.patch \	17	file://CVE-2024-55549.patch \
		18	file://CVE-2025-24855.patch \
18	"	19	"
19		20
20	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"	21	SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"