libxslt

fernandel · Aug 1, 2025

Because libxslt has long time unfixed vulnerabilitie and because
it has EXPIRATION DATE: 2025-09-12, do they have any substitute?
I cannot delete it because:

Code:

Installed packages to be REMOVED:
    aqualung: 1.2_8
    consolekit2: 1.2.6_5
    gimp3-app: 3.0.4
    gstreamer1-plugins-pulse: 1.26.3
    hplip: 3.24.4_2
    hplip-plugin: 3.24.4
    inkscape: 1.4.2_1
    inkscape-open-symbols: 1.2.1_1
    liblrdf: 0.6.1
    libreoffice: 25.2.5.2_2
    libxslt: 1.1.43_1
    pulseaudio: 17.0_3
    py311-lxml5: 5.4.0_2
    py311-qt5-pyqt: 5.15.11_2
    py311-qt6-pyqt: 6.9.1
    py311-qt6-webengine: 6.9.0_1
    qt5-speech: 5.15.17p1
    qt6-multimedia: 6.9.1
    qt6-speech: 6.9.1
    qt6-webengine: 6.9.1_1
    qutebrowser: 3.5.1
    raptor2: 2.0.16_5
    rasqal: 0.9.33_2
    redland: 1.0.17_6
    speech-dispatcher: 0.12.1
    xmlsec1: 1.3.6_1

Number of packages to be removed: 26

Thank you.

USerID · Aug 2, 2025

Why worry about it? Even if there is some vulnerability, then most likely, this vulnerability will not cause problems for you,
on your home PC.
To "launch" a vulnerability, you need to fulfill the appropriate conditions and create an
executable environment for the implementation of the vulnerability.
Thus, the PC must be either infected, or pre-filled with "bookmarks",
or somehow compromised.
There are no viruses in FreeBSD, no bookmarks, you install software from authorized, verified and competent repositories, etc.

fernandel · Aug 2, 2025

USerID said:
Why worry about it? Even if there is some vulnerability, then most likely, this vulnerability will not cause problems for you,
on your home PC.
To "launch" a vulnerability, you need to fulfill the appropriate conditions and create an
executable environment for the implementation of the vulnerability.
Thus, the PC must be either infected, or pre-filled with "bookmarks",
or somehow compromised.
There are no viruses in FreeBSD, no bookmarks, you install software from authorized, verified and competent repositories, etc.

It is a problem with port. This is not first time. I remember webkit which was updated after two or more years. Those are problems. And last time I feel safer on Haiku than FreeBSD.

USerID · Aug 3, 2025

Find the email of the person who maintains the port. Give him a link to this topic. Let him work.
I don't think we should bother with such trifles. I often see on this forum that some "gaps" in security occur, but it is the IMPLEMENTATION of such bugs that, as a rule, does NOT lead to a compromise of the system.

nxjoseph · Aug 3, 2025

You can delete a package without deleting packages depend on it with # pkg delete -f libxslt but that probably would break the packages depend on it.

T-Aoki · Aug 3, 2025

The fatal problem is that I cannot find any alternative at all.

Someone possible needs to fix upstream or create brand-new alternative which has complete API (hopefully, ABI, too) compatibility. But it's not me, clearly beyonds me.

putney · Aug 3, 2025

The upstream (Gnome) libxslt has been without a maintainer. I'm not sure "FreeBSD" can deal with these CVEs in this situation. But it looks as if upstream will make progress now: https://gitlab.gnome.org/GNOME/libxslt/-/issues/150#note_2507409

T-Aoki · Aug 3, 2025

putney said:
The upstream (Gnome) libxslt has been without a maintainer. I'm not sure "FreeBSD" can deal with these CVEs in this situation. But it looks as if upstream will make progress now: https://gitlab.gnome.org/GNOME/libxslt/-/issues/150#note_2507409

As libxslt has a plenty of softwares depending upon it, fixing it upsream should be preferred rather than done in FreeBSD side. And it's a good news that new volunteer wanna pop in to fix it upstream. Glad to know.

cracauer@ · Aug 3, 2025

True masochists exist.

bagas · Aug 14, 2025

The same problem, a many of dependencies in server software to textproc/xmlto and textproc/minixmlto and textproc/libxslt.

ketas · Sep 3, 2025

and nginx!

i'm surprised it went this far

problem is not in xslt either, problem is in lib

actually from what i read it's as if xslt as a whole is somehow "outdated"

why is this "outdated" still in gimp, inkscape, libreoffice, pulseaudio?

and why is this provided by suddenly insecure lib only

it's as if devs suddenly went oooh f we need remove it?

nevermind users can't use gimp anymore. so gimp port will be removed? i mean upstream too. i hope not and they get it out. but funnily they use it!

so yeah i'm completely mindboggled by the fact that modern code depends on old insecure lib in 2025 and there's sudden hurry after it broke for real now

wtf...

actually this is not the only port that lot of other ports require and which have no alternatives either

SirDice · Sep 3, 2025

ketas said:
and there's sudden hurry after it broke for real now

Bugs can exist for a long time before anyone actually notices them.

The 25 Year Old BSD Bug – OSnews

www.osnews.com

T-Aoki · Sep 3, 2025

How in-hurry to fix vulnerabilities depends, even if it's categorized as "critical".
If the vuln requires physical access with root priviledge to the very computer to be attacked, no worries / hurries if the very computer is "physically" and properly "managed not to be physically touched by anyone others than its admin and allowed user".

On the other hand, even if the vuln is categorized as "low", if the vuln can be abused quite easily without any priviledges (i.e., priviledge escalation vulns) AND via network AND no workaround is avairable, it should be fixed or stopped using immediately.

If there are easy and promising workaround, applying it would allow actual fixes for years / decades / centuries or more.

And I don't know how actually we should be in hurry this case for now.

covacat · Sep 3, 2025

debian fix http://deb.debian.org/debian/pool/main/libx/libxslt/libxslt_1.1.43-0.2.debian.tar.xz

CVE-2025-7424

Diff:

[22:08:45] [linsux!root]/usr/ports/textproc/libxslt#cat files/patch-gnome-libxslt-bug-139-apple-fix.diff
From 345d6826d0eae6f0a962456b8ed6f6a1bad0877d Mon Sep 17 00:00:00 2001
From: David Kilzer <ddkilzer@apple.com>
Date: Sat, 24 May 2025 15:06:42 -0700
Subject: [PATCH] libxslt: Type confusion in xmlNode.psvi between stylesheet
 and source nodes

* libxslt/functions.c:
(xsltDocumentFunctionLoadDocument):
- Implement fix suggested by Ivan Fratric.  This copies the xmlDoc,
  calls xsltCleanupSourceDoc() to remove pvsi fields, then adds the
  xmlDoc to tctxt->docList.
- Add error handling for functions that may return NULL.
* libxslt/transform.c:
- Remove static keyword so this can be called from
  xsltDocumentFunctionLoadDocument().
* libxslt/transformInternals.h: Add.
(xsltCleanupSourceDoc): Add declaration.

Fixes #139.
---
 libxslt/functions.c          | 16 +++++++++++++++-
 libxslt/transform.c          |  3 ++-
 libxslt/transformInternals.h |  9 +++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 libxslt/transformInternals.h

diff --git a/libxslt/functions.c b/libxslt/functions.c
index 72a58dc4..11ec039f 100644
--- libxslt/functions.c.orig
+++ libxslt/functions.c
@@ -34,6 +34,7 @@
 #include "numbersInternals.h"
 #include "keys.h"
 #include "documents.h"
+#include "transformInternals.h"

 #ifdef WITH_XSLT_DEBUG
 #define WITH_XSLT_DEBUG_FUNCTION
@@ -125,7 +126,20 @@ xsltDocumentFunctionLoadDocument(xmlXPathParserContextPtr ctxt,
         /*
         * This selects the stylesheet's doc itself.
         */
-        doc = tctxt->style->doc;
+        doc = xmlCopyDoc(tctxt->style->doc, 1);
+        if (doc == NULL) {
+        xsltTransformError(tctxt, NULL, NULL,
+            "document() : failed to copy style doc\n");
+        goto out_fragment;
+        }
+        xsltCleanupSourceDoc(doc); /* Remove psvi fields. */
+        idoc = xsltNewDocument(tctxt, doc);
+        if (idoc == NULL) {
+        xsltTransformError(tctxt, NULL, NULL,
+            "document() : failed to create xsltDocument\n");
+        xmlFreeDoc(doc);
+        goto out_fragment;
+        }
     } else {
             goto out_fragment;
     }
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 54ef821b..38c2dce6 100644
--- libxslt/transform.c.orig
+++ libxslt/transform.c
@@ -43,6 +43,7 @@
 #include "xsltlocale.h"
 #include "pattern.h"
 #include "transform.h"
+#include "transformInternals.h"
 #include "variables.h"
 #include "numbersInternals.h"
 #include "namespaces.h"
@@ -5757,7 +5758,7 @@ xsltCountKeys(xsltTransformContextPtr ctxt)
  *
  * Resets source node flags and ids stored in 'psvi' member.
  */
-static void
+void
 xsltCleanupSourceDoc(xmlDocPtr doc) {
     xmlNodePtr cur = (xmlNodePtr) doc;
     void **psviPtr;
diff --git a/libxslt/transformInternals.h b/libxslt/transformInternals.h
new file mode 100644
index 00000000..d0f42823
--- /dev/null
+++ libxslt/transformInternals.h
@@ -0,0 +1,9 @@
+/*
+ * Summary: set of internal interfaces for the XSLT engine transformation part.
+ *
+ * Copy: See Copyright for the status of this software.
+ *
+ * Author: David Kilzer <ddkilzer@apple.com>
+ */
+
+void xsltCleanupSourceDoc(xmlDocPtr doc);
--
2.39.5 (Apple Git-154)

just put the file in the files dir under the port home and rebuild
if anyone wants to PR it he/she is welcome to do it

CyberCr33p · Sep 5, 2025

https://www.freshports.org/textproc/libxslt/ it marked for delete in few days.

T-Aoki · Sep 5, 2025

CyberCr33p said:
https://www.freshports.org/textproc/libxslt/ it marked for delete in few days.

Found PR 289213.
Let's see how it goes.

bagas · Sep 15, 2025

Needed to install a new system, downloaded ports and installed git-2.48.1, vulnerable version.
After updating ports, I try to update git, and what it offers me:
To close one vulnerability in git, you need to install another libxslt.

Vicious circle!

cracauer@ · Wednesday at 10:19 PM

Well, Debian screwed up the fix that "we" targeted:

"Package : libxslt
Debian Bug : 1114928

The update for libxslt announced in DSA 5979-1 introduced a regression
while back porting the upstream deterministic generate-id implementation,
which makes the generated IDs may remain in a non-deterministic order.
"

libxslt

Administrator