Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 700386 (CVE-2019-13117, CVE-2019-13118, CVE-2019-18197) - <dev-libs/libxslt-1.1.34: Multiple vulnerabilities (CVE-2019-{13117,13118,18197})
Summary: <dev-libs/libxslt-1.1.34: Multiple vulnerabilities (CVE-2019-{13117,13118,181...
Status: IN_PROGRESS
Alias: CVE-2019-13117, CVE-2019-13118, CVE-2019-18197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable cve]
Keywords: CC-ARCHES
Depends on: CVE-2019-20388, CVE-2020-24977, CVE-2020-7595
Blocks:
  Show dependency tree
 
Reported: 2019-11-17 19:08 UTC by Hanno Böck
Modified: 2020-09-12 03:30 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-11-17 19:08:31 UTC
libxslt 1.1.34 fixes a security vulnerability discovered by oss-fuzz.

The upstream changelog also indicates a few more security-relevant fixes:
https://gitlab.gnome.org/GNOME/libxslt/commit/3653123f992db24cec417d12600f4c67388025e3
Comment 1 Sam James gentoo-dev Security 2020-03-19 01:53:10 UTC
@maintainer(s), please create an appropriate ebuild
Comment 2 Sam James gentoo-dev Security 2020-03-26 18:05:49 UTC
1) CVE-2019-13117

Description:
"In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character."

Patch: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

2) CVE-2019-13118

Description:
"In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data."

Patch: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

3) CVE-2019-18197

Description:
"In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed."

Patch: https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-04-22 15:37:05 UTC
CVE-2019-13118 (https://nvd.nist.gov/vuln/detail/CVE-2019-13118):
  In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
  xsl:number instruction was too narrow and an invalid character/length
  combination could be passed to xsltNumberFormatDecimal, leading to a read of
  uninitialized stack data.
Comment 4 John Helmert III (ajak) 2020-07-29 05:59:41 UTC
Ping
Comment 5 charles17 2020-07-29 06:15:26 UTC
*** Bug 703274 has been marked as a duplicate of this bug. ***
Comment 6 Larry the Git Cow gentoo-dev 2020-07-29 20:55:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=239dd8d12a0181dc4a9b162a96deef14aa7889b7

commit 239dd8d12a0181dc4a9b162a96deef14aa7889b7
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-06-27 08:34:22 +0000
Commit:     Matt Turner <mattst88@gentoo.org>
CommitDate: 2020-07-29 20:55:19 +0000

    dev-libs/libxslt: security bump to 1.1.34
    
    Note that we need the new dev-libs/libxml-2.9.10:2 in order for tests to
    build successfully.
    
    Let's require it in general because upstream may have written their code
    expecting other properties which didn't show up during testing.
    
    Bug: https://bugs.gentoo.org/700386
    Closes: https://bugs.gentoo.org/703274
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: Matt Turner <mattst88@gentoo.org>

 dev-libs/libxslt/Manifest                          |   1 +
 .../files/libxslt-1.1.34-simplify-python.patch     | 239 +++++++++++++++++++++
 dev-libs/libxslt/libxslt-1.1.34.ebuild             | 125 +++++++++++
 3 files changed, 365 insertions(+)
Comment 7 Sam James gentoo-dev Security 2020-07-29 21:01:42 UTC
We'll give it a few days just in case.
Comment 8 Sam James gentoo-dev Security 2020-08-11 08:30:11 UTC
I think we're good to go. I'll CC-ARCHES later today if no objections.
Comment 9 Sam James gentoo-dev Security 2020-08-11 20:15:11 UTC
Oh, we need to do this in bug 710748 anyway because of the new tigher dependency on libxml2.