34113 – libxslt new security issues CVE-2024-55549 and CVE-2025-24855

Bug 34113 - libxslt new security issues CVE-2024-55549 and CVE-2025-24855

Summary: libxslt new security issues CVE-2024-55549 and CVE-2025-24855

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-03-17 16:55 CET by Nicolas Salguero
Modified:	2025-03-22 18:54 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	libxslt-1.1.38-1.mga9.src.rpm
CVE:	CVE-2024-55549, CVE-2025-24855
Status comment:	Fixed upstream in 1.1.43 and patches available from upstream and openSUSE

Attachments
Differences from current spec on mageia 9 (967 bytes, patch) 2025-03-17 19:09 CET, katnatek	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-03-17 16:55:36 CET

openSUSE has issued an advisory on March 16:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZKCQGOW24ZBKSYCIKDUG4KKITEGCJKY2/

Fix for CVE-2024-55549: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515

Fix for CVE-2025-24855: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2

Nicolas Salguero 2025-03-17 16:56:21 CET

CVE: (none) => CVE-2024-55549, CVE-2025-24855
Source RPM: (none) => libxslt-1.1.38-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.1.43 and patches available from upstream and openSUSE

Comment 1 katnatek 2025-03-17 18:55:52 CET

Working on this

Comment 2 katnatek 2025-03-17 19:09:16 CET

Created attachment 14900 [details]
Differences from current spec on mageia 9

I used to remove information in patches "not related" to the changes, but It works as is downloaded from gitlab, if it's fine for you, I'll send the changes

katnatek 2025-03-17 19:09:44 CET

CC: (none) => j.alberto.vc

katnatek 2025-03-17 19:11:47 CET

Attachment 14900 description: Differences from current spec on mageia 8 => Differences from current spec on mageia 9

Comment 3 Lewis Smith 2025-03-19 08:39:50 CET

Unsure where to assign this. DavidG normally updates the pkg (and has already put version 1.1.43 in Cauldron), so assigning to you. If katnatek helps - so much the better, and thank you.

Assignee: bugsquad => geiger.david68210

Comment 4 Nicolas Salguero 2025-03-19 14:35:52 CET

(In reply to katnatek from comment #2)
> Created attachment 14900 [details]
> Differences from current spec on mageia 9
> 
> I used to remove information in patches "not related" to the changes, but It
> works as is downloaded from gitlab, if it's fine for you, I'll send the
> changes

Hi,

I think it is fine.

Best regards,

Nico.

Comment 5 katnatek 2025-03-19 17:23:17 CET

@David I send the build of the changes

Comment 6 katnatek 2025-03-19 18:22:50 CET

Packages:

lib(64)exslt0-1.1.38-1.1.mga9
lib(64)xslt-devel-1.1.38-1.1.mga9
lib(64)xslt1-1.1.38-1.1.mga9
python3-libxslt-1.1.38-1.1.mga9
xsltproc-1.1.38-1.1.mga9

SRPM;
libxslt-1.1.38-1.1.mga9

Assignee: geiger.david68210 => qa-bugs

katnatek 2025-03-19 19:29:29 CET

Keywords: (none) => advisory

Comment 7 katnatek 2025-03-20 18:34:55 CET

RH x86_64

Test for CVE-2024-55549

xsltproc main.xsl
compilation error: file main.xsl line 4 element template
xsl:template: need to specify match or name attribute


installing lib64xslt1-1.1.38-1.1.mga9.x86_64.rpm xsltproc-1.1.38-1.1.mga9.x86_64.rpm lib64exslt0-1.1.38-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64xslt1            ##################################################################################################
      2/3: lib64exslt0           ##################################################################################################
      3/3: xsltproc              ##################################################################################################
      1/3: removing xsltproc-1.1.38-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing lib64exslt0-1.1.38-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64xslt1-1.1.38-1.mga9.x86_64
                                 ##################################################################################################


xsltproc main.xsl
compilation error: file main.xsl line 4 element template
xsl:template: need to specify match or name attribute

Follow the procedure at https://wiki.mageia.org/en/QA_procedure:Libxslt

 xsltproc cdcatalog.xsl cdcatalog.xml
<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th style="text-align:left">Title</th>
<th style="text-align:left">Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
<tr>
<td>Hide your heart</td>
<td>Bonnie Tyler</td>
</tr>
<tr>
<td>Greatest Hits</td>
<td>Dolly Parton</td>
</tr>
<tr>
<td>Still got the blues</td>
<td>Gary Moore</td>
</tr>
<tr>
<td>Eros</td>
<td>Eros Ramazzotti</td>
</tr>
<tr>
<td>One night only</td>
<td>Bee Gees</td>
</tr>
<tr>
<td>Sylvias Mother</td>
<td>Dr.Hook</td>
</tr>
<tr>
<td>Maggie May</td>
<td>Rod Stewart</td>
</tr>
<tr>
<td>Romanza</td>
<td>Andrea Bocelli</td>
</tr>
<tr>
<td>When a man loves a woman</td>
<td>Percy Sledge</td>
</tr>
<tr>
<td>Black angel</td>
<td>Savage Rose</td>
</tr>
<tr>
<td>1999 Grammy Nominees</td>
<td>Many</td>
</tr>
<tr>
<td>For the good times</td>
<td>Kenny Rogers</td>
</tr>
<tr>
<td>Big Willie style</td>
<td>Will Smith</td>
</tr>
<tr>
<td>Tupelo Honey</td>
<td>Van Morrison</td>
</tr>
<tr>
<td>Soulsville</td>
<td>Jorn Hoel</td>
</tr>
<tr>
<td>The very best of</td>
<td>Cat Stevens</td>
</tr>
<tr>
<td>Stop</td>
<td>Sam Brown</td>
</tr>
<tr>
<td>Bridge of Spies</td>
<td>T`Pau</td>
</tr>
<tr>
<td>Private Dancer</td>
<td>Tina Turner</td>
</tr>
<tr>
<td>Midt om natten</td>
<td>Kim Larsen</td>
</tr>
<tr>
<td>Pavarotti Gala Concert</td>
<td>Luciano Pavarotti</td>
</tr>
<tr>
<td>The dock of the bay</td>
<td>Otis Redding</td>
</tr>
<tr>
<td>Picture book</td>
<td>Simply Red</td>
</tr>
<tr>
<td>Red</td>
<td>The Communards</td>
</tr>
<tr>
<td>Unchain my heart</td>
<td>Joe Cocker</td>
</tr>
</table>

 LC_ALL=C urpmi python3-libxslt


installing python3-libxslt-1.1.38-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-libxslt       ##################################################################################################

Have to run 
2to3 libxml_xslt_transform_example.py -w
Because the example in the wiki was failing

Now python libxml_xslt_transform_example.py produce the same output that xsltproc cdcatalog.xsl cdcatalog.xml 

I not have issues in chromium with test from http://tantek.com/XHTML/Test/
but http://greenbytes.de/tech/tc/xslt/ have some issues, but could be the page

Comment 8 Herman Viaene 2025-03-22 11:52:34 CET

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Followed QA-procedure and downloaded test files from bug 20760.
$ xsltproc cdcatalog.xsl cdcatalog.xml
<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th>Title</th>
<th>Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
</table>
</body></html>
On hint fromkatnatek above
$ 2to3 libxml_xslt_transform_example.py -w
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored libxml_xslt_transform_example.py
--- libxml_xslt_transform_example.py    (original)
+++ libxml_xslt_transform_example.py    (refactored)
@@ -44,7 +44,7 @@
     doc.freeDoc()
     result.freeDoc()
 
-    print result_xml
+    print(result_xml)
 
 if __name__=="__main__":
     xslt_transform()
RefactoringTool: Files that were modified:
RefactoringTool: libxml_xslt_transform_example.py

$ python libxml_xslt_transform_example.py
<html><body>
<h2>My CD Collection</h2>
<table border="1">
<tr bgcolor="#9acd32">
<th>Title</th>
<th>Artist</th>
</tr>
<tr>
<td>Empire Burlesque</td>
<td>Bob Dylan</td>
</tr>
</table>
</body></html>

Tested chromium with link from QA-procedure; all OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 9 Thomas Andrews 2025-03-22 14:53:55 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Mageia Robot 2025-03-22 18:54:18 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0110.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.