Bug 2352484 (CVE-2024-55549)

Summary: CVE-2024-55549 libxslt: Use-After-Free in libxslt (xsltGetInheritedNsList)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, deckberg, kaycoth, marc.lautier, sardella
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in libxslt. This vulnerability allows an attacker to trigger a use-after-free issue by excluding result prefixes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2352513, 2352515, 2352516, 2352522, 2352514, 2352517, 2352518, 2352519, 2352520, 2352521    
Bug Blocks:    

Description OSIDB Bzimport 2025-03-14 02:01:03 UTC 
xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
Comment 3 errata-xmlrpc 2025-04-07 01:24:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:3613 https://access.redhat.com/errata/RHSA-2025:3613
Comment 4 errata-xmlrpc 2025-04-07 01:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:3614 https://access.redhat.com/errata/RHSA-2025:3614
Comment 5 errata-xmlrpc 2025-04-07 01:31:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:3612 https://access.redhat.com/errata/RHSA-2025:3612
Comment 6 errata-xmlrpc 2025-04-07 01:45:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:3615 https://access.redhat.com/errata/RHSA-2025:3615
Comment 7 errata-xmlrpc 2025-04-07 01:59:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:3619 https://access.redhat.com/errata/RHSA-2025:3619
Comment 8 errata-xmlrpc 2025-04-07 02:14:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2025:3626 https://access.redhat.com/errata/RHSA-2025:3626
Comment 9 errata-xmlrpc 2025-04-07 02:14:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:3625 https://access.redhat.com/errata/RHSA-2025:3625
Comment 10 errata-xmlrpc 2025-04-07 02:16:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:3624 https://access.redhat.com/errata/RHSA-2025:3624
Comment 11 errata-xmlrpc 2025-04-07 06:36:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:3627 https://access.redhat.com/errata/RHSA-2025:3627
Comment 12 errata-xmlrpc 2025-04-21 01:33:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4025 https://access.redhat.com/errata/RHSA-2025:4025
Comment 13 errata-xmlrpc 2025-04-22 15:29:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:4098 https://access.redhat.com/errata/RHSA-2025:4098
Comment 14 Marc LAUTIER 2025-04-25 18:18:52 UTC 
Since applying this update on RHEL9 (libxslt-1.1.34-9.el9_5.2.x86_64), libxslt coredumps immediately upon reading an XSL excluding more than 2 namespaces (and issue an error when excluding 2).

To reproduce, run xsltproc command with the following XSL:
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
        xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
        xmlns:fo="http://www.w3.org/1999/XSL/Format"
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        exclude-result-prefixes="xsl fo xs">
</xsl:stylesheet>

Output:
realloc failed !
Segmentation fault (core dumped)
Comment 15 Norman Sardella 2025-04-26 10:49:46 UTC 
I tried build the 6.14 kernel with libxslt-1.1.34-9.el9_5.2.x86_64 under RHEL 9
Hit realloc failures during build of kernel docs with xml

434570.676644] xsltproc[1425048]: segfault at 0 ip 00007f99c3842f4d sp 00007ffc939cb3b0 error 4 in libxslt.so.1.1.34[ef4d,7f99c383e000+2a000] likely on CPU 0 (core 0, socket 0)
[434570.678118] Code: ba 00 00 00 45 31 ed eb 17 0f 1f 40 00 8b 83 38 01 00 00 49 83 c5 01 44 39 e8 0f 8e 9e 00 00 00 48 8b 83 30 01 00 00 4c 89 e6 <4a> 8b 3c e8 e8 1a c8 ff ff 85 c0 74 d6 48 8b 44 24 08 48 89 ef ff
Comment 17 deckberg 2025-04-28 17:45:42 UTC 
We are having the same problem as Marc LAUTIER.  We had to roll back to libxslt-1.1.34-9.el9_5.1.x86_64 and it immediately fixed the issue.  We have several exclude-result-prefixes in our code and are getting a Segmentation fault (core dumped).
Comment 18 Marc LAUTIER 2025-04-28 19:42:26 UTC 
The rpm libxslt-1.1.34-9.el9_5.3.x86_64 that was made available earlier today fixes the issue for me.

Thanks for the quick fix.
Comment 19 errata-xmlrpc 2025-05-08 19:55:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:4422 https://access.redhat.com/errata/RHSA-2025:4422
Comment 20 errata-xmlrpc 2025-05-09 04:31:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:4427 https://access.redhat.com/errata/RHSA-2025:4427
Comment 21 errata-xmlrpc 2025-05-09 04:33:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:4431 https://access.redhat.com/errata/RHSA-2025:4431
Comment 22 errata-xmlrpc 2025-05-13 11:53:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7410 https://access.redhat.com/errata/RHSA-2025:7410
Comment 23 errata-xmlrpc 2025-05-13 15:59:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7496 https://access.redhat.com/errata/RHSA-2025:7496
Comment 24 errata-xmlrpc 2025-05-15 00:44:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:4731 https://access.redhat.com/errata/RHSA-2025:4731
Comment 25 errata-xmlrpc 2025-05-15 16:34:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:4677 https://access.redhat.com/errata/RHSA-2025:4677
Comment 26 errata-xmlrpc 2025-05-21 14:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:7702 https://access.redhat.com/errata/RHSA-2025:7702
Comment 27 errata-xmlrpc 2025-06-05 09:36:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:8303 https://access.redhat.com/errata/RHSA-2025:8303