diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
new file mode 100644
index 0000000..62007d6
--- /dev/null
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-11068.patch
@@ -0,0 +1,120 @@
+From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c | 9 +++++----
+ libxslt/transform.c | 9 +++++----
+ libxslt/xslt.c | 9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(ctxt->sec, ctxt, URI);
+- if (res == 0) {
+- xsltTransformError(ctxt, NULL, NULL,
+- "xsltLoadDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(ctxt, NULL, NULL,
++ "xsltLoadDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, URI);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltLoadStyleDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltLoadStyleDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 874870cc..3783b247 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ int secres;
+
+ secres = xsltCheckRead(sec, NULL, URI);
+- if (secres == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsl:import: read rights for %s denied\n",
+- URI);
++ if (secres <= 0) {
++ if (secres == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl:import: read rights for %s denied\n",
++ URI);
+ goto error;
+ }
+ }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 13793914..0636dbd0 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ */
+ if (ctxt->sec != NULL) {
+ ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+- if (ret == 0) {
+- xsltTransformError(ctxt, NULL, inst,
+- "xsltDocumentElem: write rights for %s denied\n",
+- filename);
++ if (ret <= 0) {
++ if (ret == 0)
++ xsltTransformError(ctxt, NULL, inst,
++ "xsltDocumentElem: write rights for %s denied\n",
++ filename);
+ xmlFree(URL);
+ xmlFree(filename);
+ return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 780a5ad7..a234eb79 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, filename);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltParseStylesheetFile: read rights for %s denied\n",
+- filename);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltParseStylesheetFile: read rights for %s denied\n",
++ filename);
+ return(NULL);
+ }
+ }
+--
+2.24.1
+
diff --git a/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
new file mode 100644
index 0000000..a8c7cf5
--- /dev/null
+++ b/SOURCES/libxslt-1.1.32-CVE-2019-18197.patch
@@ -0,0 +1,30 @@
+From 2232473733b7313d67de8836ea3b29eec6e8e285 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 17 Aug 2019 16:51:53 +0200
+Subject: [PATCH] Fix dangling pointer in xsltCopyText
+
+xsltCopyText didn't reset ctxt->lasttext in some cases which could
+lead to various memory errors in relation with CDATA sections in input
+documents.
+
+Found by OSS-Fuzz.
+---
+ libxslt/transform.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 95ebd073..d7ab0b66 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -1094,6 +1094,8 @@ xsltCopyText(xsltTransformContextPtr ctxt, xmlNodePtr target,
+ if ((copy->content = xmlStrdup(cur->content)) == NULL)
+ return NULL;
+ }
++
++ ctxt->lasttext = NULL;
+ } else {
+ /*
+ * normal processing. keep counters to extend the text node
+--
+2.22.0
+
diff --git a/SOURCES/multilib2.patch b/SOURCES/multilib2.patch
new file mode 100644
index 0000000..22ffe7e
--- /dev/null
+++ b/SOURCES/multilib2.patch
@@ -0,0 +1,28 @@
+diff -urN libxslt-1.1.32/libxslt/xsltconfig.h.in libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in
+--- libxslt-1.1.32/libxslt/xsltconfig.h.in 2017-10-26 07:55:47.000000000 +0000
++++ libxslt-1.1.32.completemultilib/libxslt/xsltconfig.h.in 2019-05-06 11:35:57.948191169 +0000
+@@ -120,7 +120,11 @@
+ #ifndef WITH_MODULES
+ #define WITH_MODULES
+ #endif
+-#define LIBXSLT_DEFAULT_PLUGINS_PATH() "@LIBXSLT_DEFAULT_PLUGINS_PATH@"
++#ifdef __LP64__
++#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib64/libxslt-plugins"
++#else
++#define LIBXSLT_DEFAULT_PLUGINS_PATH() "/usr/lib/libxslt-plugins"
++#endif
+ #endif
+
+ /**
+diff -urN libxslt-1.1.32/xslt-config.in libxslt-1.1.32.completemultilib/xslt-config.in
+--- libxslt-1.1.32/xslt-config.in 2015-05-10 14:11:30.000000000 +0000
++++ libxslt-1.1.32.completemultilib/xslt-config.in 2019-05-06 11:34:59.670592304 +0000
+@@ -65,7 +65,7 @@
+ ;;
+
+ --plugins)
+- echo @LIBXSLT_DEFAULT_PLUGINS_PATH@
++ echo ${libdir}/libxslt-plugins
+ exit 0
+ ;;
+
diff --git a/SPECS/libxslt.spec b/SPECS/libxslt.spec
index 03e76a1..7c515f1 100644
--- a/SPECS/libxslt.spec
+++ b/SPECS/libxslt.spec
@@ -8,7 +8,7 @@
Name: libxslt
Summary: Library providing the Gnome XSLT engine
Version: 1.1.32
-Release: 3%{?dist}
+Release: 5%{?dist}
License: MIT
URL: http://xmlsoft.org/XSLT
@@ -25,6 +25,12 @@ BuildRequires: pkgconfig(libxml-2.0) >= 2.6.27
# Fedora specific patches
Patch0: multilib.patch
Patch1: libxslt-1.1.26-utf8-docs.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1765632
+Patch2: multilib2.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1775517
+Patch3: libxslt-1.1.32-CVE-2019-18197.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1715732
+Patch4: libxslt-1.1.32-CVE-2019-11068.patch
%description
This C library allows to transform XML files into other XML files
@@ -129,6 +135,13 @@ rm -vrf %{buildroot}%{_docdir}
%endif # with python2
%changelog
+* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-5
+- Fix CVE-2019-18197 (#1775517)
+- Fix CVE-2019-11068 (#1715732)
+
+* Thu Jan 09 2020 David King <dking@redhat.com> - 1.1.32-4
+- Fix multilib issues with devel subpackage (#1765632)
+
* Mon Jun 25 2018 Charalampos Stratakis <cstratak@redhat.com> - 1.1.32-3
- Conditionalize the python2 subpackage