2 files changed, 105 insertions, 1 deletions
diff --git a/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff b/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff
new file mode 100644
index 0000000000..c7220ab954
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff
@@ -0,0 +1,103 @@
+From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Date: Sat, 24 May 2025 15:06:42 -0700
+Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
+ and source nodes
+* libxslt/functions.c:
+(xsltDocumentFunctionLoadDocument):
+- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
+  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
+  xmlDoc to tctxt->docList.
+- Add error handling for functions that may return NULL.
+* libxslt/transform.c:
+- Remove static keyword so this can be called from
+  xsltDocumentFunctionLoadDocument().
+* libxslt/transformInternals.h: Add.
+(xsltCleanupSourceDoc): Add declaration.
+Fixes #139.
+CVE: CVE-2025-7424
+Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libxslt/-/issues/139]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ libxslt/functions.c          | 16 +++++++++++++++-
+ libxslt/transform.c          |  3 ++-
+ libxslt/transformInternals.h |  9 +++++++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 libxslt/transformInternals.h
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 72a58dc4..11ec039f 100644
+--- a/libxslt/functions.c
+++ b/libxslt/functions.c
+@@ -34,6 +34,7 @@
+ #include "numbersInternals.h"
+ #include "keys.h"
+ #include "documents.h"
+#include "transformInternals.h"
+ 
+ #ifdef WITH_XSLT_DEBUG
+ #define WITH_XSLT_DEBUG_FUNCTION
+@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
+            /*
+            * This selects the stylesheet's doc itself.
+            */
+-           doc = tctxt->style->doc;
+           doc = xmlCopyDoc(tctxt->style->doc, 1);
+           if (doc == NULL) {
+               xsltTransformError(tctxt, NULL, NULL,
+                   "document() : failed to copy style doc\n");
+               goto out_fragment;
+           }
+           xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
+           idoc = xsltNewDocument(tctxt, doc);
+           if (idoc == NULL) {
+               xsltTransformError(tctxt, NULL, NULL,
+                   "document() : failed to create xsltDocument\n");
+               xmlFreeDoc(doc);
+               goto out_fragment;
+           }
+        } else {
+             goto out_fragment;
+        }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 54ef821b..38c2dce6 100644
+--- a/libxslt/transform.c
+++ b/libxslt/transform.c
+@@ -43,6 +43,7 @@
+ #include "xsltlocale.h"
+ #include "pattern.h"
+ #include "transform.h"
+#include "transformInternals.h"
+ #include "variables.h"
+ #include "numbersInternals.h"
+ #include "namespaces.h"
+@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+  *
+  * Resets source node flags and ids stored in 'psvi' member.
+  */
+-static void
+void
+ xsltCleanupSourceDoc(xmlDocPtr doc) {
+     xmlNodePtr cur = (xmlNodePtr) doc;
+     void **psviPtr;
+diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
+new file mode 100644
+index 00000000..d0f42823
+--- /dev/null
+++ b/libxslt/transformInternals.h
+@@ -0,0 +1,9 @@
+/*
+ * Summary: set of internal interfaces for the XSLT engine transformation part.
+ *
+ * Copy: See Copyright for the status of this software.
+ *
+ * Author: David Kilzer <ddkilzer@apple.com>
+ */
+
+void xsltCleanupSourceDoc(xmlDocPtr doc);
+-- 
+2.39.5 (Apple Git-154)
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.43.bb b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
index d251fa8122..e08e92085d 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.43.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
@@ -13,7 +13,8 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
-SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"
+SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
+           file://gnome-libxslt-bug-139-apple-fix.diff"
 SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403f0183a"

diff --git a/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff b/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff new file mode 100644 index 0000000000..c7220ab954 --- /dev/null +++ b/meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff
@@ -0,0 +1,103 @@
		1	From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
		2	From: David Kilzer <ddkilzer@apple.com>
		3	Date: Sat, 24 May 2025 15:06:42 -0700
		4	Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
		5	and source nodes
		6
		7	* libxslt/functions.c:
		8	(xsltDocumentFunctionLoadDocument):
		9	- Implement fix suggested by Ivan Fratric. This copies the xmlDoc,
		10	calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
		11	xmlDoc to tctxt->docList.
		12	- Add error handling for functions that may return NULL.
		13	* libxslt/transform.c:
		14	- Remove static keyword so this can be called from
		15	xsltDocumentFunctionLoadDocument().
		16	* libxslt/transformInternals.h: Add.
		17	(xsltCleanupSourceDoc): Add declaration.
		18
		19	Fixes #139.
		20
		21	CVE: CVE-2025-7424
		22	Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libxslt/-/issues/139]
		23	Signed-off-by: Ross Burton <ross.burton@arm.com>
		24	---
		25	libxslt/functions.c \| 16 +++++++++++++++-
		26	libxslt/transform.c \| 3 ++-
		27	libxslt/transformInternals.h \| 9 +++++++++
		28	3 files changed, 26 insertions(+), 2 deletions(-)
		29	create mode 100644 libxslt/transformInternals.h
		30
		31	diff --git a/libxslt/functions.c b/libxslt/functions.c
		32	index 72a58dc4..11ec039f 100644
		33	--- a/libxslt/functions.c
		34	+++ b/libxslt/functions.c
		35	@@ -34,6 +34,7 @@
		36	#include "numbersInternals.h"
		37	#include "keys.h"
		38	#include "documents.h"
		39	+#include "transformInternals.h"
		40
		41	#ifdef WITH_XSLT_DEBUG
		42	#define WITH_XSLT_DEBUG_FUNCTION
		43	@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
		44	/*
		45	* This selects the stylesheet's doc itself.
		46	*/
		47	- doc = tctxt->style->doc;
		48	+ doc = xmlCopyDoc(tctxt->style->doc, 1);
		49	+ if (doc == NULL) {
		50	+ xsltTransformError(tctxt, NULL, NULL,
		51	+ "document() : failed to copy style doc\n");
		52	+ goto out_fragment;
		53	+ }
		54	+ xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
		55	+ idoc = xsltNewDocument(tctxt, doc);
		56	+ if (idoc == NULL) {
		57	+ xsltTransformError(tctxt, NULL, NULL,
		58	+ "document() : failed to create xsltDocument\n");
		59	+ xmlFreeDoc(doc);
		60	+ goto out_fragment;
		61	+ }
		62	} else {
		63	goto out_fragment;
		64	}
		65	diff --git a/libxslt/transform.c b/libxslt/transform.c
		66	index 54ef821b..38c2dce6 100644
		67	--- a/libxslt/transform.c
		68	+++ b/libxslt/transform.c
		69	@@ -43,6 +43,7 @@
		70	#include "xsltlocale.h"
		71	#include "pattern.h"
		72	#include "transform.h"
		73	+#include "transformInternals.h"
		74	#include "variables.h"
		75	#include "numbersInternals.h"
		76	#include "namespaces.h"
		77	@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
		78	*
		79	* Resets source node flags and ids stored in 'psvi' member.
		80	*/
		81	-static void
		82	+void
		83	xsltCleanupSourceDoc(xmlDocPtr doc) {
		84	xmlNodePtr cur = (xmlNodePtr) doc;
		85	void **psviPtr;
		86	diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
		87	new file mode 100644
		88	index 00000000..d0f42823
		89	--- /dev/null
		90	+++ b/libxslt/transformInternals.h
		91	@@ -0,0 +1,9 @@
		92	+/*
		93	+ * Summary: set of internal interfaces for the XSLT engine transformation part.
		94	+ *
		95	+ * Copy: See Copyright for the status of this software.
		96	+ *
		97	+ * Author: David Kilzer <ddkilzer@apple.com>
		98	+ */
		99	+
		100	+void xsltCleanupSourceDoc(xmlDocPtr doc);
		101	--
		102	2.39.5 (Apple Git-154)
		103


diff --git a/meta/recipes-support/libxslt/libxslt_1.1.43.bb b/meta/recipes-support/libxslt/libxslt_1.1.43.bb index d251fa8122..e08e92085d 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.43.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
@@ -13,7 +13,8 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
13	SECTION = "libs"	13	SECTION = "libs"
14	DEPENDS = "libxml2"	14	DEPENDS = "libxml2"
15		15
16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"	16	SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
		17	file://gnome-libxslt-bug-139-apple-fix.diff"
17		18
18	SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403f0183a"	19	SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403f0183a"
19		20