In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
{ "vanir_signatures": [ { "signature_version": "v1", "digest": { "length": 1909.0, "function_hash": "149946325565218207761949792658421626761" }, "id": "CVE-2019-13117-565fd9eb", "deprecated": false, "target": { "file": "libxslt/numbers.c", "function": "xsltNumberFormatTokenize" }, "signature_type": "Function", "source": "https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "43565303947768987112289376521803259580", "19431884078099895786233513579532035761", "49920840082758177635510753390799152839", "72429694293929117164221740144272381935" ] }, "id": "CVE-2019-13117-a8b017df", "deprecated": false, "target": { "file": "libxslt/numbers.c" }, "signature_type": "Line", "source": "https://gitlab.gnome.org/GNOME/libxslt@c5eb6cf3aba0af048596106ed839b4ae17ecbcb1" } ] }