ELA-142-1 libxslt security update

uninitialized read

Related CVEs CVE-2019-13117 CVE-2019-13118

Two flaws were discovered in libxslt, the XSLT processing library.


An xsl:number with certain format strings could lead to an uninitialized
read in xsltNumberFormatInsertNumbers. This could allow an attacker to
discern whether a byte on the stack contains the characters A, a, I, i, or
0, or any other character.


A type holding grouping characters of an xsl:number instruction was too
narrow and an invalid character/length combination could be passed to
xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

For Debian 7 Wheezy, these problems have been fixed in version 1.1.26-14.1+deb7u5.

We recommend that you upgrade your libxslt packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.