[MEDIUM] Patch libxslt for CVE-2025-7424 (#15254)

Author: archana25-ms

SPECS/libxslt/CVE-2025-7424.patch

@@ -0,0 +1,99 @@
+From f6f7f59998c0642b395ba07e5a30e68866df277d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Iv=C3=A1n=20Chavero?= <ichavero@chavero.com.mx>
+Date: Mon, 24 Nov 2025 01:05:00 -0600
+Subject: [PATCH] Fix Type confusion in xmlNode.psvi between stylesheet and
+ source nodes
+
+* libxslt/functions.c:
+(xsltDocumentFunctionLoadDocument):
+- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
+  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
+  xmlDoc to tctxt->docList.
+- Add error handling for functions that may return NULL.
+* libxslt/transform.c:
+- Remove static keyword so this can be called from
+  xsltDocumentFunctionLoadDocument().
+* libxslt/transformInternals.h: Add.
+(xsltCleanupSourceDoc): Add declaration.
+
+Original author: David Kilzer <ddkilzer@apple.com>
+
+Fixes: #139 CVE-2025-7424
+Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libxslt/-/commit/f6f7f59998c0642b395ba07e5a30e68866df277d.patch
+---
+ libxslt/functions.c          | 16 +++++++++++++++-
+ libxslt/transform.c          |  3 ++-
+ libxslt/transformInternals.h |  9 +++++++++
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+ create mode 100644 libxslt/transformInternals.h
+
+diff --git a/libxslt/functions.c b/libxslt/functions.c
+index dd8bf7a..e821e3c 100644
+--- a/libxslt/functions.c
++++ b/libxslt/functions.c
+@@ -41,6 +41,7 @@
+ #include "numbersInternals.h"
+ #include "keys.h"
+ #include "documents.h"
++#include "transformInternals.h"
+ 
+ #ifdef WITH_XSLT_DEBUG
+ #define WITH_XSLT_DEBUG_FUNCTION
+@@ -152,7 +153,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt, xmlChar* URI)
+ 	    /*
+ 	    * This selects the stylesheet's doc itself.
+ 	    */
+-	    doc = tctxt->style->doc;
++	    doc = xmlCopyDoc(tctxt->style->doc, 1);
++	    if (doc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to copy style doc\n");
++		goto out_fragment;
++	    }
++	    xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
++	    idoc = xsltNewDocument(tctxt, doc);
++	    if (idoc == NULL) {
++		xsltTransformError(tctxt, NULL, NULL,
++		    "document() : failed to create xsltDocument\n");
++		xmlFreeDoc(doc);
++		goto out_fragment;
++	    }
+ 	} else {
+ 	    valuePush(ctxt, xmlXPathNewNodeSet(NULL));
+ 
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index e79a9ac..e11f8df 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -42,6 +42,7 @@
+ #include "xsltutils.h"
+ #include "pattern.h"
+ #include "transform.h"
++#include "transformInternals.h"
+ #include "variables.h"
+ #include "numbersInternals.h"
+ #include "namespaces.h"
+@@ -5750,7 +5751,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+  *
+  * Resets source node flags and ids stored in 'psvi' member.
+  */
+-static void
++void
+ xsltCleanupSourceDoc(xmlDocPtr doc) {
+     xmlNodePtr cur = (xmlNodePtr) doc;
+     void **psviPtr;
+diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
+new file mode 100644
+index 0000000..d0f4282
+--- /dev/null
++++ b/libxslt/transformInternals.h
+@@ -0,0 +1,9 @@
++/*
++ * Summary: set of internal interfaces for the XSLT engine transformation part.
++ *
++ * Copy: See Copyright for the status of this software.
++ *
++ * Author: David Kilzer <ddkilzer@apple.com>
++ */
++
++void xsltCleanupSourceDoc(xmlDocPtr doc);

SPECS/libxslt/libxslt-source-node-extra-data-infra.patch

@@ -0,0 +1,256 @@
+From adebe45f6ef9f9d036acacd8aec7411d4ea84e25 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 31 Aug 2022 15:29:57 +0200
+Subject: [PATCH] Infrastructure to store extra data in source nodes
+
+Provide a mechanism to store bit flags in nodes from the source
+document. This will later be used to store key and id status.
+
+Provide a function to find the psvi member of a node.
+
+Revert any changes to the source document after the transformation.
+Upstream Patch Reference: https://gitlab.gnome.org/GNOME/libxslt/-/commit/adebe45f6ef9f9d036acacd8aec7411d4ea84e25
+---
+ libxslt/transform.c     |  34 ++++++++++
+ libxslt/xsltInternals.h |   1 +
+ libxslt/xsltutils.c     | 135 ++++++++++++++++++++++++++++++++++++++++
+ libxslt/xsltutils.h     |  13 ++++
+ 4 files changed, 183 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index cb43bb47..512eb024 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -5746,6 +5746,37 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
+     return(ctxt->nbKeys);
+ }
+ 
++/**
++ * xsltCleanupSourceDoc:
++ * @doc:  Document
++ *
++ * Resets source node flags and ids stored in 'psvi' member.
++ */
++static void
++xsltCleanupSourceDoc(xmlDocPtr doc) {
++    xmlNodePtr cur = (xmlNodePtr) doc;
++    void **psviPtr;
++
++    while (1) {
++        xsltClearSourceNodeFlags(cur, XSLT_SOURCE_NODE_MASK);
++        psviPtr = xsltGetPSVIPtr(cur);
++        if (psviPtr)
++            *psviPtr = NULL;
++
++        if (cur->children != NULL && cur->type != XML_ENTITY_REF_NODE) {
++            cur = cur->children;
++        } else {
++            while (cur->next == NULL) {
++                cur = cur->parent;
++                if (cur == (xmlNodePtr) doc)
++                    return;
++            }
++
++            cur = cur->next;
++        }
++    }
++}
++
+ /**
+  * xsltApplyStylesheetInternal:
+  * @style:  a parsed XSLT stylesheet
+@@ -6144,6 +6175,9 @@ xsltApplyStylesheetInternal(xsltStylesheetPtr style, xmlDocPtr doc,
+     printf("# Reused variables     : %d\n", ctxt->cache->dbgReusedVars);
+ #endif
+ 
++    if (ctxt->sourceDocDirty)
++        xsltCleanupSourceDoc(doc);
++
+     if ((ctxt != NULL) && (userCtxt == NULL))
+ 	xsltFreeTransformContext(ctxt);
+ 
+diff --git a/libxslt/xsltInternals.h b/libxslt/xsltInternals.h
+index 14343d27..b0125c21 100644
+--- a/libxslt/xsltInternals.h
++++ b/libxslt/xsltInternals.h
+@@ -1786,6 +1786,7 @@ struct _xsltTransformContext {
+     int maxTemplateVars;
+     unsigned long opLimit;
+     unsigned long opCount;
++    int sourceDocDirty;
+ };
+ 
+ /**
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index f352ca1b..9f0feb53 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1834,6 +1834,141 @@ xsltSaveResultToString(xmlChar **doc_txt_ptr, int * doc_txt_len,
+     return 0;
+ }
+ 
++/**
++ * xsltGetSourceNodeFlags:
++ * @node:  Node from source document
++ *
++ * Returns the flags for a source node.
++ */
++int
++xsltGetSourceNodeFlags(xmlNodePtr node) {
++    /*
++     * Squeeze the bit flags into the upper bits of
++     *
++     * - 'int properties' member in struct _xmlDoc
++     * - 'xmlAttributeType atype' member in struct _xmlAttr
++     * - 'unsigned short extra' member in struct _xmlNode
++     */
++    switch (node->type) {
++        case XML_DOCUMENT_NODE:
++        case XML_HTML_DOCUMENT_NODE:
++            return ((xmlDocPtr) node)->properties >> 27;
++
++        case XML_ATTRIBUTE_NODE:
++            return ((xmlAttrPtr) node)->atype >> 27;
++
++        case XML_ELEMENT_NODE:
++        case XML_TEXT_NODE:
++        case XML_CDATA_SECTION_NODE:
++        case XML_PI_NODE:
++        case XML_COMMENT_NODE:
++            return node->extra >> 12;
++
++        default:
++            return 0;
++    }
++}
++
++/**
++ * xsltSetSourceNodeFlags:
++ * @node:  Node from source document
++ * @flags:  Flags
++ *
++ * Sets the specified flags to 1.
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
++                       int flags) {
++    if (node->doc == ctxt->initialContextDoc)
++        ctxt->sourceDocDirty = 1;
++
++    switch (node->type) {
++        case XML_DOCUMENT_NODE:
++        case XML_HTML_DOCUMENT_NODE:
++            ((xmlDocPtr) node)->properties |= flags << 27;
++            return 0;
++
++        case XML_ATTRIBUTE_NODE:
++            ((xmlAttrPtr) node)->atype |= flags << 27;
++            return 0;
++
++        case XML_ELEMENT_NODE:
++        case XML_TEXT_NODE:
++        case XML_CDATA_SECTION_NODE:
++        case XML_PI_NODE:
++        case XML_COMMENT_NODE:
++            node->extra |= flags << 12;
++            return 0;
++
++        default:
++            return -1;
++    }
++}
++
++/**
++ * xsltClearSourceNodeFlags:
++ * @node:  Node from source document
++ * @flags:  Flags
++ *
++ * Sets the specified flags to 0.
++ *
++ * Returns 0 on success, -1 on error.
++ */
++int
++xsltClearSourceNodeFlags(xmlNodePtr node, int flags) {
++    switch (node->type) {
++        case XML_DOCUMENT_NODE:
++        case XML_HTML_DOCUMENT_NODE:
++            ((xmlDocPtr) node)->properties &= ~(flags << 27);
++            return 0;
++
++        case XML_ATTRIBUTE_NODE:
++            ((xmlAttrPtr) node)->atype &= ~(flags << 27);
++            return 0;
++
++        case XML_ELEMENT_NODE:
++        case XML_TEXT_NODE:
++        case XML_CDATA_SECTION_NODE:
++        case XML_PI_NODE:
++        case XML_COMMENT_NODE:
++            node->extra &= ~(flags << 12);
++            return 0;
++
++        default:
++            return -1;
++    }
++}
++
++/**
++ * xsltGetPSVIPtr:
++ * @cur:  Node
++ *
++ * Returns a pointer to the psvi member of a node or NULL on error.
++ */
++void **
++xsltGetPSVIPtr(xmlNodePtr cur) {
++    switch (cur->type) {
++        case XML_DOCUMENT_NODE:
++        case XML_HTML_DOCUMENT_NODE:
++            return &((xmlDocPtr) cur)->psvi;
++
++        case XML_ATTRIBUTE_NODE:
++            return &((xmlAttrPtr) cur)->psvi;
++
++        case XML_ELEMENT_NODE:
++        case XML_TEXT_NODE:
++        case XML_CDATA_SECTION_NODE:
++        case XML_PI_NODE:
++        case XML_COMMENT_NODE:
++            return &cur->psvi;
++
++        default:
++            return NULL;
++    }
++}
++
+ #ifdef WITH_PROFILER
+ 
+ /************************************************************************
+diff --git a/libxslt/xsltutils.h b/libxslt/xsltutils.h
+index 7a12f7b3..65ef78e0 100644
+--- a/libxslt/xsltutils.h
++++ b/libxslt/xsltutils.h
+@@ -244,6 +244,19 @@ XSLTPUBFUN xmlXPathCompExprPtr XSLTCALL
+ 						 const xmlChar *str,
+ 						 int flags);
+ 
++#ifdef IN_LIBXSLT
++#define XSLT_SOURCE_NODE_MASK       15
++int
++xsltGetSourceNodeFlags(xmlNodePtr node);
++int
++xsltSetSourceNodeFlags(xsltTransformContextPtr ctxt, xmlNodePtr node,
++                       int flags);
++int
++xsltClearSourceNodeFlags(xmlNodePtr node, int flags);
++void **
++xsltGetPSVIPtr(xmlNodePtr cur);
++#endif
++
+ /*
+  * Profiling.
+  */
+-- 
+GitLab
+

SPECS/libxslt/libxslt.spec

@@ -1,7 +1,7 @@
 Summary:        Libxslt is the XSLT C library developed for the GNOME project. XSLT is a an XML language to define transformation for XML.
 Name:           libxslt
 Version:        1.1.34
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,6 +14,8 @@ Patch1:         CVE-2022-29824.nopatch
 Patch2:         CVE-2024-55549.patch
 Patch3:         CVE-2025-24855.patch
 Patch4:         CVE-2025-11731.patch
+Patch5:         libxslt-source-node-extra-data-infra.patch
+Patch6:         CVE-2025-7424.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libxml2-devel
 Requires:       libgcrypt
@@ -77,6 +79,9 @@ make %{?_smp_mflags} check
 %{_mandir}/man3/*
 
 %changelog
+* Thu Dec 18 2025 Archana Shettigar <v-shettigara@microsoft.com> - 1.1.34-10
+- Patch for CVE-2025-7424
+
 * Fri Nov 21 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.1.34-9
 - Patch for CVE-2025-11731
 

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -218,7 +218,7 @@ libgpg-error-1.46-1.cm2.aarch64.rpm
 libgcrypt-1.10.3-1.cm2.aarch64.rpm
 libksba-1.6.3-1.cm2.aarch64.rpm
 libksba-devel-1.6.3-1.cm2.aarch64.rpm
-libxslt-1.1.34-9.cm2.aarch64.rpm
+libxslt-1.1.34-10.cm2.aarch64.rpm
 npth-1.6-4.cm2.aarch64.rpm
 pinentry-1.2.0-1.cm2.aarch64.rpm
 gnupg2-2.4.0-2.cm2.aarch64.rpm