libxslt: Fix CVE-2025-11731

Backport patch [1] to fix CVE-2025-11731. [1] fe508f201e (From OE-Core rev: 7196077d84cc8d49652b0d6b54963df579ab1a0b) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2025-12-23 15:19:51 +08:00 · 2025-12-23 15:19:51 +08:00 · 33cffc4716
commit 33cffc4716
parent df858d86ed
2 changed files with 43 additions and 0 deletions
--- a/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch
@ -0,0 +1,42 @@
+From fe508f201efb9ea37bfbe95413b8b28251497de3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
+Date: Wed, 27 Aug 2025 14:28:40 +0300
+Subject: [PATCH] End function node ancestor search at document
+
+Avoids dereferencing a non-existent ->ns property on an
+XML_DOCUMENT_NODE pointer.
+
+Fixes #151.
+
+CVE: CVE-2025-11731
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/fe508f201efb9ea37bfbe95413b8b28251497de3]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ libexslt/functions.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libexslt/functions.c b/libexslt/functions.c
+index 8d35a7ae..a54ee70c 100644
+--- a/libexslt/functions.c
+++ b/libexslt/functions.c
+@@ -617,8 +617,13 @@ exsltFuncResultComp (xsltStylesheetPtr style, xmlNodePtr inst,
+      * instanciation of a func:result element.
+      */
+     for (test = inst->parent; test != NULL; test = test->parent) {
+-	if (IS_XSLT_ELEM(test) &&
+-	    IS_XSLT_NAME(test, "stylesheet")) {
+	if (/* Traversal has reached the top-level document without
+         * finding a func:function ancestor. */
+        (test != NULL && test->type == XML_DOCUMENT_NODE) ||
+        /* Traversal reached a stylesheet-namespace node,
+         * and has left the function namespace. */
+        (IS_XSLT_ELEM(test) &&
+         IS_XSLT_NAME(test, "stylesheet"))) {
+ 	    xsltGenericError(xsltGenericErrorContext,
+ 			     "func:result element not a descendant "
+ 			     "of a func:function\n");
+-- 
+2.34.1
+
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/libxslt/1.1/libxslt-${PV}.tar.xz \
           file://CVE-2023-40403-004.patch \
           file://CVE-2023-40403-005.patch \
           file://CVE-2025-7424.patch \
+           file://CVE-2025-11731.patch \
          "

 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"