Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833508 (CVE-2021-30560) - <dev-libs/libxslt-1.1.35: use-after-free in xsltApplyTemplates
Summary: <dev-libs/libxslt-1.1.35: use-after-free in xsltApplyTemplates
Alias: CVE-2021-30560
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa? cleanup]
Depends on: 833586 834457
  Show dependency tree
Reported: 2022-02-17 02:27 UTC by John Helmert III
Modified: 2022-03-15 15:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-17 02:27:22 UTC
"There's a bug in libxslt which can result in use-after-free in connection with the <xsl:strip-space> feature. Under certain circumstances, function xsltApplyTemplates can delete text nodes which are still referenced from variables, keys or possibly other data structures."

Fix in 1.1.35:
Comment 1 Larry the Git Cow gentoo-dev 2022-02-17 22:52:44 UTC
The bug has been closed via the following commit(s):

commit 49e51187a6e928f9ac156a757be6301b61141d5d
Author:     Sam James <>
AuthorDate: 2022-02-17 22:51:32 +0000
Commit:     Sam James <>
CommitDate: 2022-02-17 22:52:29 +0000

    dev-libs/libxslt: add 1.1.35
    Note that maintainership has officially changed and verify-sig is
    therefore dropped for now as upstream aren't offering PGP signatures
    for now:
    Signed-off-by: Sam James <>

 dev-libs/libxslt/Manifest              |  1 +
 dev-libs/libxslt/libxslt-1.1.35.ebuild | 63 ++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-02-18 03:54:17 UTC
The bug has been referenced in the following commit(s):

commit ad676814872917af7dc098f47b0ebb8a106f5d30
Author:     Sam James <>
AuthorDate: 2022-02-18 03:53:29 +0000
Commit:     Sam James <>
CommitDate: 2022-02-18 03:53:29 +0000

    profiles: mask =dev-libs/libxslt-1.1.35
    Too strict parsing? Needs more investigation.
    Signed-off-by: Sam James <>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)