A vulnerability was discovered in numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. Upstream commit: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
Created libxslt tracking bugs for this issue: Affects: fedora-all [bug 1728542] Created mingw-libxslt tracking bugs for this issue: Affects: epel-7 [bug 1728544] Affects: fedora-all [bug 1728543]
There's a bug on libxslt at function xsltFormatNumberConversion() where an attacker may leverage it to reveal some chunks of program's stack due to a read from an uninitialized memory position. When processing the number formatting options at xsltFormatNumberConversion() libxslt uses a too narrow data type, which end up truncating the format character data, however when adding the formatting into internal buffer it still uses the length read from xsl file. This triggers a read from an uninitialized memory position from stack which will be further added to final formatted XML output.
Statement: * This issue affects the version of libxslt as shipped with Red Hat Gluster Storage 3, as it includes the affected code which allows uninitialized read. * This issue affects the versions of libxslt as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8. Red Hat Product Security has rated this issue as having a security impact of Low. * Red Hat OpenStack Platform versions 9, 10, 13, & 14 are marked WONTFIX as they will inherit fixes from the underlying RHEL layer. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.