Bug 1388777 (CVE-2016-4738) - CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator
Summary: CVE-2016-4738 libxslt: Heap overread due to an empty decimal-separator
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-4738
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1388779 1388780 1388781
Blocks: 1388784
TreeView+ depends on / blocked
 
Reported: 2016-10-26 07:50 UTC by Andrej Nemec
Modified: 2019-09-29 13:58 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-09 13:41:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-10-26 07:50:45 UTC 
A heap overread vulnerability was found in xsltFormatNumberConversion function in libxslt. An empty decimal-separator could cause a heap overread. This can be exploited to leak a couple of bytes after the buffer that holds the pattern string.

Upstream patch:

https://git.gnome.org/browse/libxslt/commit/?id=eb1030de31165b68487f288308f9d1810fed6880
Comment 1 Andrej Nemec 2016-10-26 07:56:24 UTC 
Created libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1388779]
Comment 2 Andrej Nemec 2016-10-26 07:56:44 UTC 
Created mingw-libxslt tracking bugs for this issue:

Affects: fedora-all [bug 1388780]
Affects: epel-7 [bug 1388781]
Comment 3 Andrej Nemec 2016-10-26 07:59:18 UTC 
References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4738
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
Comment 4 Huzaifa S. Sidhpurwala 2016-10-31 08:50:02 UTC 
This issue was initially filed as chromium bug at:

https://bugs.chromium.org/p/chromium/issues/detail?id=619006
Note You need to log in before you can comment on or make changes to this bug.