Bugzilla – Bug 1140101
VUL-1: CVE-2019-13118: libxslt: read of uninitialized stack data due to too narrow xsl:number instruction and an invalid character
Last modified: 2024-05-06 13:13:03 UTC
CVE-2019-13118 In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data. References: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13118 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13118 https://oss-fuzz.com/testcase-detail/5197371471822848 https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
All codestreams are affected. The fix is in commit [1] [1] https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
Factory submission: https://build.opensuse.org/request/show/713209
SUSE-SU-2019:1867-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1140095,1140101 CVE References: CVE-2019-13117,CVE-2019-13118 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libxslt-1.1.28-17.6.1 SUSE Linux Enterprise Server 12-SP4 (src): libxslt-1.1.28-17.6.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libxslt-1.1.28-17.6.1 SUSE CaaS Platform 3.0 (src): libxslt-1.1.28-17.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-08-15. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64329
SUSE-SU-2020:1409-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1140095,1140101,1154609 CVE References: CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libxslt-1.1.32-3.8.24 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0731-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1140095,1140101,1154609 CVE References: CVE-2019-13117,CVE-2019-13118,CVE-2019-18197 Sources used: openSUSE Leap 15.1 (src): libxslt-1.1.32-lp151.3.6.1, libxslt-python-1.1.32-lp151.3.6.1
All done, closing.