1728541 – (CVE-2019-13118) CVE-2019-13118 libxslt: read of uninitialized stack data due to too narrow xsl:number instruction and an invalid character

Bug 1728541 (CVE-2019-13118) - CVE-2019-13118 libxslt: read of uninitialized stack data due to too narrow xsl:number instruction and an invalid character

Summary: CVE-2019-13118 libxslt: read of uninitialized stack data due to too narrow xs...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13118
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1728542 1728543 1728544 1730917 1730918 1733900
Blocks:	1728553
TreeView+	depends on / blocked

Reported:	2019-07-10 06:57 UTC by Dhananjay Arunesh
Modified:	2023-04-14 20:58 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:46:21 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-07-10 06:57:27 UTC

A vulnerability was discovered in numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Upstream commit:
https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

Comment 1 Dhananjay Arunesh 2019-07-10 06:58:24 UTC

Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1728542]


Created mingw-libxslt tracking bugs for this issue:

Affects: epel-7 [bug 1728544]
Affects: fedora-all [bug 1728543]

Comment 6 Marco Benatto 2019-07-23 13:12:09 UTC

There's a bug on libxslt at function xsltFormatNumberConversion() where an attacker may leverage it to reveal some chunks of program's stack due to a read from an uninitialized memory position. When processing the number formatting options at xsltFormatNumberConversion() libxslt uses a too narrow data type, which end up truncating the format character data, however when adding the formatting into internal buffer it still uses the length read from xsl file.
This triggers a read from an uninitialized memory position from stack which will be further added to final formatted XML output.

Comment 9 Nick Tait 2019-08-01 20:47:54 UTC

Statement:

* This issue affects the version of libxslt as shipped with Red Hat Gluster Storage 3, as it includes the affected code which allows uninitialized read.
* This issue affects the versions of libxslt as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8. Red Hat Product Security has rated this issue as having a security impact of Low.
* Red Hat OpenStack Platform versions 9, 10, 13, & 14 are marked WONTFIX as they will inherit fixes from the underlying RHEL layer.

Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.