Bug 1728541 (CVE-2019-13118)
| Summary: | CVE-2019-13118 libxslt: read of uninitialized stack data due to too narrow xsl:number instruction and an invalid character | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | apevec, dking, eglynn, erik-fedora, igor.raits, jjoyce, jschluet, klember, lhh, lpeer, lsvaty, mbenatto, mburns, mgarciac, pgrist, psampaio, rjones, sclewis, sisharma, slinaber, veillard |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in libxslt within the numbers.c file, where a type holding grouping characters of an xsl:number instruction was too narrow, this flaw allowed an invalid character/length combination to be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. This could result in undefined behavior or potential information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-27 10:46:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1728542, 1728543, 1728544, 1730917, 1730918, 1733900 | ||
| Bug Blocks: | 1728553 | ||
|
Description
Dhananjay Arunesh
2019-07-10 06:57:27 UTC
Created libxslt tracking bugs for this issue: Affects: fedora-all [bug 1728542] Created mingw-libxslt tracking bugs for this issue: Affects: epel-7 [bug 1728544] Affects: fedora-all [bug 1728543] There's a bug on libxslt at function xsltFormatNumberConversion() where an attacker may leverage it to reveal some chunks of program's stack due to a read from an uninitialized memory position. When processing the number formatting options at xsltFormatNumberConversion() libxslt uses a too narrow data type, which end up truncating the format character data, however when adding the formatting into internal buffer it still uses the length read from xsl file. This triggers a read from an uninitialized memory position from stack which will be further added to final formatted XML output. Statement: * This issue affects the version of libxslt as shipped with Red Hat Gluster Storage 3, as it includes the affected code which allows uninitialized read. * This issue affects the versions of libxslt as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8. Red Hat Product Security has rated this issue as having a security impact of Low. * Red Hat OpenStack Platform versions 9, 10, 13, & 14 are marked WONTFIX as they will inherit fixes from the underlying RHEL layer. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |