Bug 1439548 (CVE-2015-9019)

Summary: CVE-2015-9019 libxslt: math.random() in xslt uses unseeded randomness
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amuller, aortega, apevec, ayoung, bhu, chrisw, cvsbot-xmlrpc, erik-fedora, esammons, iboverma, jjoyce, jross, jschluet, kbasil, klember, lhh, lpeer, markmc, matt, mcressma, rbryant, rhos-maint, rjones, sclewis, sisharma, slong, tdecacqu, veillard, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-05 02:40:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1439557, 1439558, 1439559    
Bug Blocks: 1439550    

Description Andrej Nemec 2017-04-06 08:38:07 UTC 
A vulnerability was found in libxslt where the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=758400
Comment 1 Andrej Nemec 2017-04-06 08:54:53 UTC 
Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1439559]


Created mingw-libxslt tracking bugs for this issue:

Affects: epel-7 [bug 1439557]
Affects: fedora-all [bug 1439558]
Comment 3 Doran Moppert 2017-04-11 03:29:54 UTC 
Statement:

The xslt random function provided by libxslt does not offer any security or cryptography guarantees. Applications using libxslt that rely on non-repeatable randomness should be seeding the system PRNG (srand()) themselves, as they would if calling rand() directly.