Skip to content

[AutoPR- Security] Patch libxslt for CVE-2025-11731 [LOW] #15147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Open

[AutoPR- Security] Patch libxslt for CVE-2025-11731 [LOW] #15147

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions SPECS/libxslt/CVE-2025-11731.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
From 126a8478361719176d26b87eaf487aa858fd5d6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <[email protected]>
Date: Wed, 27 Aug 2025 14:28:40 +0300
Subject: [PATCH] End function node ancestor search at document

Avoids dereferencing a non-existent ->ns property on an
XML_DOCUMENT_NODE pointer.

Fixes #151.

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/78.patch
---
libexslt/functions.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libexslt/functions.c b/libexslt/functions.c
index 8d35a7a..a54ee70 100644
--- a/libexslt/functions.c
+++ b/libexslt/functions.c
@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
* instanciation of a func:result element.
*/
for (test = inst->parent; test != NULL; test = test->parent) {
- if (IS_XSLT_ELEM(test) &&
- IS_XSLT_NAME(test, "stylesheet")) {
+ if (/* Traversal has reached the top-level document without
+ * finding a func:function ancestor. */
+ (test != NULL && test->type == XML_DOCUMENT_NODE) ||
+ /* Traversal reached a stylesheet-namespace node,
+ * and has left the function namespace. */
+ (IS_XSLT_ELEM(test) &&
+ IS_XSLT_NAME(test, "stylesheet"))) {
xsltGenericError(xsltGenericErrorContext,
"func:result element not a descendant "
"of a func:function\n");
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/libxslt/libxslt.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@
Summary: Libxslt is the XSLT C library developed for the GNOME project. XSLT is a an XML language to define transformation for XML.
Name: libxslt
Version: 1.1.43
Release: 1%{?dist}
Release: 2%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Group: System Environment/General Libraries
URL: http://xmlsoft.org/libxslt/
Source0: https://download.gnome.org/sources/libxslt/%{majminorver}/%{name}-%{version}.tar.xz
Patch0: CVE-2025-11731.patch
BuildRequires: libgcrypt-devel
BuildRequires: libxml2-devel
Requires: libgcrypt
Expand Down Expand Up @@ -76,6 +77,9 @@ make %{?_smp_mflags} check


%changelog
* Fri Nov 21 2025 Azure Linux Security Servicing Account <[email protected]> - 1.1.43-2
- Patch for CVE-2025-11731

* Tue Mar 18 2025 Sindhu Karri <[email protected]> - 1.1.43-1
- Upgrade to version 1.1.43 to fix CVE-2024-55549 and CVE-2025-24855

Expand Down
2 changes: 1 addition & 1 deletion toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ libgpg-error-1.48-1.azl3.aarch64.rpm
libgcrypt-1.10.3-1.azl3.aarch64.rpm
libksba-1.6.4-1.azl3.aarch64.rpm
libksba-devel-1.6.4-1.azl3.aarch64.rpm
libxslt-1.1.43-1.azl3.aarch64.rpm
libxslt-1.1.43-2.azl3.aarch64.rpm
npth-1.6-4.azl3.aarch64.rpm
pinentry-1.2.1-1.azl3.aarch64.rpm
gnupg2-2.4.7-1.azl3.aarch64.rpm
Expand Down
2 changes: 1 addition & 1 deletion toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ libgpg-error-1.48-1.azl3.x86_64.rpm
libgcrypt-1.10.3-1.azl3.x86_64.rpm
libksba-1.6.4-1.azl3.x86_64.rpm
libksba-devel-1.6.4-1.azl3.x86_64.rpm
libxslt-1.1.43-1.azl3.x86_64.rpm
libxslt-1.1.43-2.azl3.x86_64.rpm
npth-1.6-4.azl3.x86_64.rpm
pinentry-1.2.1-1.azl3.x86_64.rpm
gnupg2-2.4.7-1.azl3.x86_64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,9 +245,9 @@ libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
libxml2-2.11.5-7.azl3.aarch64.rpm
libxml2-debuginfo-2.11.5-7.azl3.aarch64.rpm
libxml2-devel-2.11.5-7.azl3.aarch64.rpm
libxslt-1.1.43-1.azl3.aarch64.rpm
libxslt-debuginfo-1.1.43-1.azl3.aarch64.rpm
libxslt-devel-1.1.43-1.azl3.aarch64.rpm
libxslt-1.1.43-2.azl3.aarch64.rpm
libxslt-debuginfo-1.1.43-2.azl3.aarch64.rpm
libxslt-devel-1.1.43-2.azl3.aarch64.rpm
lua-5.4.6-1.azl3.aarch64.rpm
lua-debuginfo-5.4.6-1.azl3.aarch64.rpm
lua-devel-5.4.6-1.azl3.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,9 +253,9 @@ libxml2-devel-2.11.5-7.azl3.x86_64.rpm
libxcrypt-4.4.36-2.azl3.x86_64.rpm
libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
libxslt-1.1.43-1.azl3.x86_64.rpm
libxslt-debuginfo-1.1.43-1.azl3.x86_64.rpm
libxslt-devel-1.1.43-1.azl3.x86_64.rpm
libxslt-1.1.43-2.azl3.x86_64.rpm
libxslt-debuginfo-1.1.43-2.azl3.x86_64.rpm
libxslt-devel-1.1.43-2.azl3.x86_64.rpm
lua-5.4.6-1.azl3.x86_64.rpm
lua-debuginfo-5.4.6-1.azl3.x86_64.rpm
lua-devel-5.4.6-1.azl3.x86_64.rpm
Expand Down
Loading