Bug 1728546 (CVE-2019-13117) - CVE-2019-13117 libxslt: an xsl number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers
Summary: CVE-2019-13117 libxslt: an xsl number with certain format strings could lead ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13117
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1728547 1728548 1728549 1733210 1733211 1733899
Blocks: 1728553
TreeView+ depends on / blocked
 
Reported: 2019-07-10 07:02 UTC by Dhananjay Arunesh
Modified: 2024-05-27 23:37 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 10:46:26 UTC
Embargoed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-10 07:02:52 UTC
A vulnerability was discovered in numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Upstream commit:
https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

Comment 1 Dhananjay Arunesh 2019-07-10 07:04:08 UTC
Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1728547]


Created mingw-libxslt tracking bugs for this issue:

Affects: epel-7 [bug 1728549]
Affects: fedora-all [bug 1728548]

Comment 5 Marco Benatto 2019-07-25 13:59:13 UTC
There's a bug on libxslt while processing number formatting. While processing the format string xsltNumberFormatTokenize() eventually let a few tokens
uninitialized on token list, this leads to a further uninitialized read scenario at xsltNumberFormatInsertNumbers() function. An attacker may leverage this by creating a crafted XSL file and as consequence a few bytes from the stack are revealed. There's no direct higher impact consequence from exploiting this issue.

Comment 9 Nick Tait 2019-08-01 20:46:57 UTC
Statement:

* This issue affects the versions of libxslt as shipped with Red Hat Enterprise Linux 5, 6, 7 and 8. It has been classified with the security impact of 'Low' by the Red Hat Product Security Team.
* This issue affects the version of libxslt as shipped with Red Hat Gluster Storage 3, as it includes the affected code which allows uninitialized read.
* Red Hat OpenStack Platform versions 9, 10, 13, & 14 are marked WONTFIX as they will inherit fixes from the underlying RHEL layer.


Note You need to log in before you can comment on or make changes to this bug.