Patch libxslt for CVE-2025-7424

Author: azurelinux-security

SPECS/libxslt/CVE-2025-7424.patch

@@ -0,0 +1,103 @@
+From a0c908f1f8970d9f10bbd39888d175a61871690e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Iv=C3=A1n=20Chavero?= <[email protected]>
+Date: Mon, 24 Nov 2025 01:05:00 -0600
+Subject: [PATCH] Fix Type confusion in xmlNode.psvi between stylesheet and
+ source nodes
+
+* libxslt/functions.c:
+(xsltDocumentFunctionLoadDocument):
+- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
+  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
+  xmlDoc to tctxt->docList.
+- Add error handling for functions that may return NULL.
+* libxslt/transform.c:
+- Remove static keyword so this can be called from
+  xsltDocumentFunctionLoadDocument().
+* libxslt/transformInternals.h: Add.
+(xsltCleanupSourceDoc): Add declaration.
+
+Original author: David Kilzer <[email protected]>
+
+Fixes: #139 CVE-2025-7424
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: https://github.com/GNOME/libxslt/commit/f6f7f59998c0642b395ba07e5a30e68866df277d.patch
+---
+ libxslt/functions.c          | 16 +++++++++++++++-
+ libxslt/transform.c          |  3 ++-
+ libxslt/transformInternals.h |  9 +++++++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 libxslt/transformInternals.h
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index 72a58dc..11ec039 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -34,6 +34,7 @@
+ #include "numbersInternals.h"
+ #include "keys.h"
+ #include "documents.h"
++#include "transformInternals.h"
+ 
+ #ifdef WITH_XSLT_DEBUG
+ #define WITH_XSLT_DEBUG_FUNCTION
+@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
+ 	    /*
+ 	    * This selects the stylesheet's doc itself.
+ 	    */
+-	    doc = tctxt->style->doc;
++	    doc = xmlCopyDoc(tctxt->style->doc, 1);
++	    if (doc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to copy style doc\n");
++		goto out_fragment;
++	    }
++	    xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
++	    idoc = xsltNewDocument(tctxt, doc);
++	    if (idoc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to create xsltDocument\n");
++		xmlFreeDoc(doc);
++		goto out_fragment;
++	    }
+ 	} else {
+             goto out_fragment;
+ 	}
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 54ef821..38c2dce 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -43,6 +43,7 @@
+ #include "xsltlocale.h"
+ #include "pattern.h"
+ #include "transform.h"
++#include "transformInternals.h"
+ #include "variables.h"
+ #include "numbersInternals.h"
+ #include "namespaces.h"
+@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+  *
+  * Resets source node flags and ids stored in 'psvi' member.
+  */
+-static void
++void
+ xsltCleanupSourceDoc(xmlDocPtr doc) {
+     xmlNodePtr cur = (xmlNodePtr) doc;
+     void **psviPtr;
+diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
+new file mode 100644
+index 0000000..d0f4282
+--- /dev/null
++++ b/libxslt/transformInternals.h
+@@ -0,0 +1,9 @@
++/*
++ * Summary: set of internal interfaces for the XSLT engine transformation part.
++ *
++ * Copy: See Copyright for the status of this software.
++ *
++ * Author: David Kilzer <[email protected]>
++ */
++
++void xsltCleanupSourceDoc(xmlDocPtr doc);
+-- 
+2.45.4
+

SPECS/libxslt/libxslt.spec

@@ -2,13 +2,14 @@
 Summary:        Libxslt is the XSLT C library developed for the GNOME project. XSLT is a an XML language to define transformation for XML.
 Name:           libxslt
 Version:        1.1.43
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/General Libraries
 URL:            http://xmlsoft.org/libxslt/
 Source0:        https://download.gnome.org/sources/libxslt/%{majminorver}/%{name}-%{version}.tar.xz
+Patch0:         CVE-2025-7424.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 Requires:       libgcrypt
@@ -76,6 +77,9 @@ make %{?_smp_mflags} check
 
 
 %changelog
+* Thu Nov 27 2025 Azure Linux Security Servicing Account <[email protected]> - 1.1.43-2
+- Patch for CVE-2025-7424
+
 * Tue Mar 18 2025 Sindhu Karri <[email protected]> - 1.1.43-1
 - Upgrade to version 1.1.43 to fix CVE-2024-55549 and CVE-2025-24855
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -225,7 +225,7 @@ libgpg-error-1.48-1.azl3.aarch64.rpm
 libgcrypt-1.10.3-1.azl3.aarch64.rpm
 libksba-1.6.4-1.azl3.aarch64.rpm
 libksba-devel-1.6.4-1.azl3.aarch64.rpm
-libxslt-1.1.43-1.azl3.aarch64.rpm
+libxslt-1.1.43-2.azl3.aarch64.rpm
 npth-1.6-4.azl3.aarch64.rpm
 pinentry-1.2.1-1.azl3.aarch64.rpm
 gnupg2-2.4.7-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -225,7 +225,7 @@ libgpg-error-1.48-1.azl3.x86_64.rpm
 libgcrypt-1.10.3-1.azl3.x86_64.rpm
 libksba-1.6.4-1.azl3.x86_64.rpm
 libksba-devel-1.6.4-1.azl3.x86_64.rpm
-libxslt-1.1.43-1.azl3.x86_64.rpm
+libxslt-1.1.43-2.azl3.x86_64.rpm
 npth-1.6-4.azl3.x86_64.rpm
 pinentry-1.2.1-1.azl3.x86_64.rpm
 gnupg2-2.4.7-1.azl3.x86_64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -245,9 +245,9 @@ libxcrypt-devel-4.4.36-2.azl3.aarch64.rpm
 libxml2-2.11.5-7.azl3.aarch64.rpm
 libxml2-debuginfo-2.11.5-7.azl3.aarch64.rpm
 libxml2-devel-2.11.5-7.azl3.aarch64.rpm
-libxslt-1.1.43-1.azl3.aarch64.rpm
-libxslt-debuginfo-1.1.43-1.azl3.aarch64.rpm
-libxslt-devel-1.1.43-1.azl3.aarch64.rpm
+libxslt-1.1.43-2.azl3.aarch64.rpm
+libxslt-debuginfo-1.1.43-2.azl3.aarch64.rpm
+libxslt-devel-1.1.43-2.azl3.aarch64.rpm
 lua-5.4.6-1.azl3.aarch64.rpm
 lua-debuginfo-5.4.6-1.azl3.aarch64.rpm
 lua-devel-5.4.6-1.azl3.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -253,9 +253,9 @@ libxml2-devel-2.11.5-7.azl3.x86_64.rpm
 libxcrypt-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-debuginfo-4.4.36-2.azl3.x86_64.rpm
 libxcrypt-devel-4.4.36-2.azl3.x86_64.rpm
-libxslt-1.1.43-1.azl3.x86_64.rpm
-libxslt-debuginfo-1.1.43-1.azl3.x86_64.rpm
-libxslt-devel-1.1.43-1.azl3.x86_64.rpm
+libxslt-1.1.43-2.azl3.x86_64.rpm
+libxslt-debuginfo-1.1.43-2.azl3.x86_64.rpm
+libxslt-devel-1.1.43-2.azl3.x86_64.rpm
 lua-5.4.6-1.azl3.x86_64.rpm
 lua-debuginfo-5.4.6-1.azl3.x86_64.rpm
 lua-devel-5.4.6-1.azl3.x86_64.rpm