Bug 1439548 (CVE-2015-9019) - CVE-2015-9019 libxslt: math.random() in xslt uses unseeded randomness
Summary: CVE-2015-9019 libxslt: math.random() in xslt uses unseeded randomness
Alias: CVE-2015-9019
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1439557 1439558 1439559
Blocks: 1439550
TreeView+ depends on / blocked
Reported: 2017-04-06 08:38 UTC by Andrej Nemec
Modified: 2021-02-17 02:22 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-07-05 02:40:08 UTC

Attachments (Terms of Use)

Description Andrej Nemec 2017-04-06 08:38:07 UTC
A vulnerability was found in libxslt where the EXSLT math.random function was not initialized with a random seed during startup, which could cause usage of this function to produce predictable outputs.

Upstream bug:


Comment 1 Andrej Nemec 2017-04-06 08:54:53 UTC
Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1439559]

Created mingw-libxslt tracking bugs for this issue:

Affects: epel-7 [bug 1439557]
Affects: fedora-all [bug 1439558]

Comment 3 Doran Moppert 2017-04-11 03:29:54 UTC

The xslt random function provided by libxslt does not offer any security or cryptography guarantees. Applications using libxslt that rely on non-repeatable randomness should be seeding the system PRNG (srand()) themselves, as they would if calling rand() directly.

Note You need to log in before you can comment on or make changes to this bug.