Main Vulnerability Database SB2019101424

SB2019101424 - Fedora 31 update for libxslt

Published: October 14, 2019 Updated: April 25, 2025

Security Bulletin ID SB2019101424

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2019-13117)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to information disclosure in numbers.c in libxslt library where an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. A remote attacker can gain knowledge whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

2) Information disclosure (CVE-ID: CVE-2019-13118)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized stack data exposure in numbers.c in libxslt library when processing an invalid character/length combination in xsltNumberFormatDecimal. A remote attacker can gain pass specially crafted data to the application using the affected library and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2019-fdf6ec39b4