Overview

File libxslt-CVE-2024-55549.patch of Package libxslt.38004

From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Thu, 5 Dec 2024 12:43:19 +0100
Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces

Definitions of excluded namespaces could be deleted in
xsltParseTemplateContent. Store excluded namespace URIs in the
stylesheet's dictionary instead of referencing the namespace definition.

Thanks to Ivan Fratric for the report!

Fixes #127.
---
 libxslt/xslt.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Index: libxslt-1.1.34/libxslt/xslt.c
===================================================================
--- libxslt-1.1.34.orig/libxslt/xslt.c
+++ libxslt-1.1.34/libxslt/xslt.c
@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr
  * in case of error
  */
 static int
-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
 {
+    xmlChar *value;
     int i;
 
+    /*
+     * orig can come from a namespace definition on a node which
+     * could be deleted later, for example in xsltParseTemplateContent.
+     * Store the string in stylesheet's dict to avoid use after free.
+     */
+    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
+    if (value == NULL)
+        return(-1);
+
     if (style->exclPrefixMax == 0) {
         style->exclPrefixMax = 4;
         style->exclPrefixTab =
openSUSE Build Service is sponsored by
Places