Bug 1728546 (CVE-2019-13117)

Summary: CVE-2019-13117 libxslt: an xsl number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, dking, eglynn, erik-fedora, igor.raits, jjoyce, jschluet, klember, lhh, lpeer, lsvaty, mbenatto, mburns, mgarciac, pgrist, rjones, sclewis, sisharma, slinaber, veillard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:46:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1728547, 1728548, 1728549, 1733210, 1733211, 1733899    
Bug Blocks: 1728553    

Description Dhananjay Arunesh 2019-07-10 07:02:52 UTC 
A vulnerability was discovered in numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Upstream commit:
https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
Comment 1 Dhananjay Arunesh 2019-07-10 07:04:08 UTC 
Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1728547]


Created mingw-libxslt tracking bugs for this issue:

Affects: epel-7 [bug 1728549]
Affects: fedora-all [bug 1728548]
Comment 5 Marco Benatto 2019-07-25 13:59:13 UTC 
There's a bug on libxslt while processing number formatting. While processing the format string xsltNumberFormatTokenize() eventually let a few tokens
uninitialized on token list, this leads to a further uninitialized read scenario at xsltNumberFormatInsertNumbers() function. An attacker may leverage this by creating a crafted XSL file and as consequence a few bytes from the stack are revealed. There's no direct higher impact consequence from exploiting this issue.
Comment 9 Nick Tait 2019-08-01 20:46:57 UTC 
Statement:

* This issue affects the versions of libxslt as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8. It has been classified with the security impact of 'Low' by the Red Hat Product Security Team.
* This issue affects the version of libxslt as shipped with Red Hat Gluster Storage 3, as it includes the affected code which allows uninitialized read.
* Red Hat OpenStack Platform versions 9, 10, 13, & 14 are marked WONTFIX as they will inherit fixes from the underlying RHEL layer.