[MEDIUM] Patch libxslt for CVE-2025-7424

[archana25-ms]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

What does the PR accomplish, why was it needed?
Upgrade: libxslt version to 1.1.43 and fix CVE-2025-7424

Change Log

• SPECS/libxslt/CVE-2025-7424.patch
• SPECS/libxslt/libxslt.spec
• SPECS/libxslt/libxslt-source-node-extra-data-infra.patch

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2025-7424

Test Methodology

• Pipeline build id: xxxx

[Kanishk-Bansal]

Buddy Build

[archana25-ms]

libxslt is version upgraded to 1.1.43 which already has fix

• Patches CVE-2025-11731 & CVE-2025-7424 are applied to 1.1.43 version of libxslt.
• Patch application verification

• Build is successful.

[archana25-ms]

Buddy Build

Buddy build is successful.

[Kanishk-Bansal]

Minor version up to 1.1.43, after this upgrade the patch of CVE-2025-7424 applies cleanly. Some patches were remove as a part of minor upgrade as those were already covered in this release. Changes LGTM.

We have similar changes in 3.0 as well which is already merged without any regression

[Kanishk-Bansal]

Full Build as this a toolchain package.

[archana25-ms]

Full Build as this a toolchain package.

Could see failure in building libvirt package. Analysing in progress

[Kanishk-Bansal]

Buddy Build

[kgodara912]

Please update the toolchain entries with updated version of this package.

[archana25-ms]

Please update the toolchain entries with updated version of this package.

Updated

[archana25-ms]

Build Verification:

Patch application verification:

[Kanishk-Bansal]

Full Build

[archana25-ms]

Full Build

Full Build results are having failure in building SPECS_EXTENDED package - pngcrush

Otherwise the full build seems successful

[kgodara912]

Both the patches match with respective upstream references and not modification except context different. Buddy build is successful. Full build was failed in first attempt but after re-running it was successful, and logs weren't showing libxslt as an issue. Further there is one extended repo package failure, pngcrush which was failing previously as well and is not related to this package. LGTM.