Version in base suite: 1.1.35-1

Base version: libxslt_1.1.35-1
Target version: libxslt_1.1.35-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxslt/libxslt_1.1.35-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxslt/libxslt_1.1.35-1+deb12u1.dsc

 changelog                                                               |    9 
 patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch |   43 +++
 patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch |  133 ++++++++++
 patches/series                                                          |    2 
 4 files changed, 187 insertions(+)

diff -Nru libxslt-1.1.35/debian/changelog libxslt-1.1.35/debian/changelog
--- libxslt-1.1.35/debian/changelog	2022-07-15 13:29:07.000000000 +0000
+++ libxslt-1.1.35/debian/changelog	2025-03-15 13:53:42.000000000 +0000
@@ -1,3 +1,12 @@
+libxslt (1.1.35-1+deb12u1) bookworm-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix UAF related to excluded namespaces (CVE-2024-55549) (Closes: #1100565)
+  * Fix use-after-free of XPath context node (CVE-2025-24855)
+    (Closes: #1100566)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 15 Mar 2025 14:53:42 +0100
+
 libxslt (1.1.35-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch
--- libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.35/debian/patches/0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch	2025-03-15 13:53:42.000000000 +0000
@@ -0,0 +1,43 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [CVE-2024-55549] Fix UAF related to excluded namespaces
+Origin: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515
+Bug-Debian: https://bugs.debian.org/1100565
+Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-55549
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++        return(-1);
++
+     if (style->exclPrefixMax == 0) {
+         style->exclPrefixMax = 4;
+         style->exclPrefixTab =
diff -Nru libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch
--- libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxslt-1.1.35/debian/patches/0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch	2025-03-15 13:53:42.000000000 +0000
@@ -0,0 +1,133 @@
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [CVE-2025-24855] Fix use-after-free of XPath context node
+Origin: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2
+Bug-Debian: https://bugs.debian.org/1100566
+Bug: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-24855
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa1368413..741124d1a7cf 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
++    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
++        oldNode = context->node;
++
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
++
++        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda418f..1c8d96e26e95 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
++    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
++    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
++    ctxt->xpathCtxt->node = oldNode;
++    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f5fc3..a20da9618228 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+2.47.2
+
diff -Nru libxslt-1.1.35/debian/patches/series libxslt-1.1.35/debian/patches/series
--- libxslt-1.1.35/debian/patches/series	2022-04-09 12:38:57.000000000 +0000
+++ libxslt-1.1.35/debian/patches/series	2025-03-15 13:53:42.000000000 +0000
@@ -3,3 +3,5 @@
 0003-remove-plugin-in-xslt-config.patch
 0004-do-not-clean-manpage.patch
 0005-Drop-libdir-and-static-linking-information-from-xslt.patch
+0012-CVE-2024-55549-Fix-UAF-related-to-excluded-namespace.patch
+0013-CVE-2025-24855-Fix-use-after-free-of-XPath-context-n.patch