MGASA-2019-0313

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2019-0313.html
Import Source
https://advisories.mageia.org/MGASA-2019-0313.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2019-0313
Related
Published
2019-11-02T16:54:34Z
Modified
2019-11-02T16:36:54Z
Summary
Updated libxslt packages fix security vulnerabilities
Details

Updated libxslt package fixes security vulnerabilities:

  • In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character (CVE-2019-13117).

  • In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data (CVE-2019-13118).

  • In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed (CVE-2019-18197).

References
Credits

Affected packages

Mageia:7 / libxslt

Package

Name
libxslt
Purl
pkg:rpm/mageia/libxslt?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.33-2.1.mga7

Ecosystem specific 

{
    "section": "core"
}