Two flaws were discovered in libxslt, the XSLT processing library.
An xsl:number with certain format strings could lead to an uninitialized
read in xsltNumberFormatInsertNumbers. This could allow an attacker to
discern whether a byte on the stack contains the characters A, a, I, i, or
0, or any other character.
A type holding grouping characters of an xsl:number instruction was too
narrow and an invalid character/length combination could be passed to
xsltNumberFormatDecimal, leading to a read of uninitialized stack data.
For Debian 7 Wheezy, these problems have been fixed in version 1.1.26-14.1+deb7u5.
We recommend that you upgrade your libxslt packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.