CVE-2024-55549.patch

@@ -1,45 +0,0 @@
-From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Thu, 5 Dec 2024 12:43:19 +0100
-Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
-
-Definitions of excluded namespaces could be deleted in
-xsltParseTemplateContent. Store excluded namespace URIs in the
-stylesheet's dictionary instead of referencing the namespace definition.
-
-Thanks to Ivan Fratric for the report!
-
-Fixes #127.
----
- libxslt/xslt.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/libxslt/xslt.c b/libxslt/xslt.c
-index 22fdb758..6532f976 100644
---- a/libxslt/xslt.c
-+++ b/libxslt/xslt.c
-@@ -147,10 +147,20 @@ xsltParseContentError(xsltStylesheetPtr style,
-  * in case of error
-  */
- static int
--exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
-+exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
- {
-+    xmlChar *value;
-     int i;
- 
-+    /*
-+     * orig can come from a namespace definition on a node which
-+     * could be deleted later, for example in xsltParseTemplateContent.
-+     * Store the string in stylesheet's dict to avoid use after free.
-+     */
-+    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
-+    if (value == NULL)
-+        return(-1);
-+
-     /* do not push duplicates */
-     for (i = 0;i < style->exclPrefixNr;i++) {
-         if (xmlStrEqual(style->exclPrefixTab[i], value))
--- 
-GitLab
-

CVE-2025-24855.patch

@@ -1,130 +0,0 @@
-From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
-From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Tue, 17 Dec 2024 15:56:21 +0100
-Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
-
-There are several places where the XPath context node isn't restored
-after modifying it, leading to use-after-free errors with nested XPath
-evaluations and dynamically allocated context nodes.
-
-Restore XPath context node in
-
-- xsltNumberFormatGetValue
-- xsltEvalXPathPredicate
-- xsltEvalXPathStringNs
-- xsltComputeSortResultInternal
-
-In some places, the transformation context node was saved and restored
-which shouldn't be necessary.
-
-Thanks to Ivan Fratric for the report!
-
-Fixes #128.
----
- libxslt/numbers.c   | 5 +++++
- libxslt/templates.c | 9 ++++++---
- libxslt/xsltutils.c | 4 ++--
- 3 files changed, 13 insertions(+), 5 deletions(-)
-
-diff --git a/libxslt/numbers.c b/libxslt/numbers.c
-index 0e1fa136..741124d1 100644
---- a/libxslt/numbers.c
-+++ b/libxslt/numbers.c
-@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
-     int amount = 0;
-     xmlBufferPtr pattern;
-     xmlXPathObjectPtr obj;
-+    xmlNodePtr oldNode;
- 
-     pattern = xmlBufferCreate();
-     if (pattern != NULL) {
-+        oldNode = context->node;
-+
- 	xmlBufferCCat(pattern, "number(");
- 	xmlBufferCat(pattern, value);
- 	xmlBufferCCat(pattern, ")");
-@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
- 	    xmlXPathFreeObject(obj);
- 	}
- 	xmlBufferFree(pattern);
-+
-+        context->node = oldNode;
-     }
-     return amount;
- }
-diff --git a/libxslt/templates.c b/libxslt/templates.c
-index f08b9bda..1c8d96e2 100644
---- a/libxslt/templates.c
-+++ b/libxslt/templates.c
-@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
-     int oldNsNr;
-     xmlNsPtr *oldNamespaces;
-     xmlNodePtr oldInst;
-+    xmlNodePtr oldNode;
-     int oldProximityPosition, oldContextSize;
- 
-     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
-@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
-         return(0);
-     }
- 
-+    oldNode = ctxt->xpathCtxt->node;
-     oldContextSize = ctxt->xpathCtxt->contextSize;
-     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
-     oldNsNr = ctxt->xpathCtxt->nsNr;
-@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
- 	ctxt->state = XSLT_STATE_STOPPED;
- 	ret = 0;
-     }
--    ctxt->xpathCtxt->nsNr = oldNsNr;
- 
-+    ctxt->xpathCtxt->node = oldNode;
-+    ctxt->xpathCtxt->nsNr = oldNsNr;
-     ctxt->xpathCtxt->namespaces = oldNamespaces;
-     ctxt->inst = oldInst;
-     ctxt->xpathCtxt->contextSize = oldContextSize;
-@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
-     }
- 
-     oldInst = ctxt->inst;
--    oldNode = ctxt->node;
-+    oldNode = ctxt->xpathCtxt->node;
-     oldPos = ctxt->xpathCtxt->proximityPosition;
-     oldSize = ctxt->xpathCtxt->contextSize;
-     oldNsNr = ctxt->xpathCtxt->nsNr;
-@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
- 	 "xsltEvalXPathString: returns %s\n", ret));
- #endif
-     ctxt->inst = oldInst;
--    ctxt->node = oldNode;
-+    ctxt->xpathCtxt->node = oldNode;
-     ctxt->xpathCtxt->contextSize = oldSize;
-     ctxt->xpathCtxt->proximityPosition = oldPos;
-     ctxt->xpathCtxt->nsNr = oldNsNr;
-diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
-index 0e9dc62f..a20da961 100644
---- a/libxslt/xsltutils.c
-+++ b/libxslt/xsltutils.c
-@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
- 	return(NULL);
-     }
- 
--    oldNode = ctxt->node;
-     oldInst = ctxt->inst;
-+    oldNode = ctxt->xpathCtxt->node;
-     oldPos = ctxt->xpathCtxt->proximityPosition;
-     oldSize = ctxt->xpathCtxt->contextSize;
-     oldNsNr = ctxt->xpathCtxt->nsNr;
-@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
- 	    results[i] = NULL;
- 	}
-     }
--    ctxt->node = oldNode;
-     ctxt->inst = oldInst;
-+    ctxt->xpathCtxt->node = oldNode;
-     ctxt->xpathCtxt->contextSize = oldSize;
-     ctxt->xpathCtxt->proximityPosition = oldPos;
-     ctxt->xpathCtxt->nsNr = oldNsNr;
--- 
-GitLab
-

libxslt.spec

@@ -1,14 +1,12 @@
 Name:     libxslt
-Version:  1.1.39
-Release:  3
+Version:  1.1.37
+Release:  1
 Summary:  XSLT Transformation Library
 License:  MIT
-URL:      https://gitlab.gnome.org/GNOME/libxslt
-Source0:  https://download.gnome.org/sources/%{name}/1.1/%{name}-%{version}.tar.xz
+URL:      http://xmlsoft.org/libxslt/
+Source0:  https://github.com/GNOME/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # PATCH-FIX-UPSTREAM bug-fix https://github.com/GNOME/libxslt/
 Patch0: CVE-2015-9019.patch
-Patch1: CVE-2024-55549.patch
-Patch2: CVE-2025-24855.patch
 
 BuildRequires: gcc make libtool autoconf automake libgcrypt-devel pkgconfig(libxml-2.0) >= 2.6.27
 
@@ -69,7 +67,7 @@ pushd $RPM_BUILD_ROOT/%{_includedir}/%{name}; touch -m --reference=xslt.h ../../
 
 %files
 %defattr(-,root,root)
-%doc NEWS README.md FEATURES AUTHORS
+%doc NEWS README FEATURES AUTHORS
 %license Copyright
 %{_bindir}/xsltproc
 %{_libdir}/libxslt.so.*
@@ -98,31 +96,10 @@ pushd $RPM_BUILD_ROOT/%{_includedir}/%{name}; touch -m --reference=xslt.h ../../
 %files help
 %doc %{_docdir}/%{name}
 %doc %{_mandir}/man3/*
-%exclude %{_docdir}/%{name}/{NEWS,README.md,FEATURES,AUTHORS}
+%exclude %{_docdir}/%{name}/{NEWS,README,FEATURES,AUTHORS}
 %exclude %{_docdir}/../licenses/libxslt/Copyright
 
 %changelog
-* Thu Mar 13 2025 Funda Wang <fundawang@yeah.net> - 1.1.39-3
-- fix CVE-2024-55549 CVE-2025-24855
-
-* Thu Oct 17 2024 fuanan <fuanan3@h-partners.com> - 1.1.39-2
-- Type:bugfix
-- ID:NA
-- SUG:NA
-- DESC:Resolve file conflict issues
-
-* Fri Dec 15 2023 fuanan <fuanan3@h-partners.com> - 1.1.39-1
-- Type:enhancement
-- ID:NA
-- SUG:NA
-- DESC:update version to 1.1.39
-
-* Thu Jul 13 2023 fuanan <fuanan3@h-partners.com> - 1.1.38-1
-- Type:enhancement
-- ID:NA
-- SUG:NA
-- DESC:update version to 1.1.38
-
 * Sat Nov 05 2022 shixuantong <shixuantong1@huawei.com> - 1.1.37-1
 - Type:bugfix
 - ID:NA

libxslt.yaml

@@ -1,5 +1,4 @@
-version_control: git
-src_repo: https://gitlab.gnome.org/GNOME/libxslt
+version_control: github
+src_repo: GNOME/libxslt
 tag_prefix: ^v
-separator: .
-git_url: https://gitlab.gnome.org/GNOME/libxslt
+seperator: .