Your message dated Mon, 12 Aug 2019 19:17:09 +0000
with message-id <[email protected]>
and subject line Bug#931320: fixed in libxslt 1.1.32-2.1~deb10u1
has caused the Debian Bug report #931320,
regarding libxslt: CVE-2019-13118
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
931320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libxslt
Version: 1.1.32-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libxslt.
CVE-2019-13118[0]:
| In numbers.c in libxslt 1.1.33, a type holding grouping characters of
| an xsl:number instruction was too narrow and an invalid
| character/length combination could be passed to
| xsltNumberFormatDecimal, leading to a read of uninitialized stack
| data.
The oss-fuzz report and testcases are not public at this moment, but
still filling the bug according to source code view and patch to be
applied. I have no futher details unfortunately.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13118
[1]
https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libxslt
Source-Version: 1.1.32-2.1~deb10u1
We believe that the bug you reported is fixed in the latest version of
libxslt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libxslt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 Aug 2019 21:49:31 +0200
Source: libxslt
Architecture: source
Version: 1.1.32-2.1~deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian XML/SGML Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 926895 931320 931321 933743
Changes:
libxslt (1.1.32-2.1~deb10u1) buster; urgency=medium
.
* Rebuild for buster
.
libxslt (1.1.32-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix security framework bypass (CVE-2019-11068) (Closes: #926895, #933743)
* Fix uninitialized read of xsl:number token (CVE-2019-13117)
(Closes: #931321, #933743)
* Fix uninitialized read with UTF-8 grouping chars (CVE-2019-13118)
(Closes: #931320, #933743)
Checksums-Sha1:
74e907d0f8a1547f5eb70f537fbf59c845559827 2781 libxslt_1.1.32-2.1~deb10u1.dsc
0398bf28f5b8d04e3b1feeeb5bfabd461b0a8fb3 33864
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz
Checksums-Sha256:
c81cf808598b6c7eaafa573658ab7f2db98bb5831ec0a0d7982e51bddb15a8e2 2781
libxslt_1.1.32-2.1~deb10u1.dsc
e2b83f24090e5852149094612062fe1be2f75ad241dfbc66e6350b4b0e6d5641 33864
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz
Files:
a2b647d2d424cded699a069631174711 2781 text optional
libxslt_1.1.32-2.1~deb10u1.dsc
6bba547dd07821d41404f9357429aab7 33864 text optional
libxslt_1.1.32-2.1~deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl1N0AdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EEAcP/3NtLTd9lsKJl6V5ua4s/RI/K1QV3mKg
TyyBCx+h18896arJsz1F8Bqom0qZhiAvOx25bTURBcU8vwCcd9y6RDr80ndQ2vDT
hBoUM2zTjRcB/28OVIn5Svb3bvCEtPvy3xFa7RssmAmi1KVvHa/eM87pWMjNmXsD
EPRxphIVDpBSq4SCeFW0etp2wo1oa0mG+Ej4X/uyas7GWQM4ZLs6EkZVFgCnQGT4
Eieg/4+50vZSEzxXHvShxDeBE2VnJZ87LgWpRU3CsydzmSJ3r3P7/VDMuzQOWSvg
qYDuVn6IOMk18xWDFlnjweEUSawlJK3jxzmIw3IAwZrhKucK4cocYrjaMovAVBQc
mTa4boLAMP+NzK08p3rtGvVkg8VCuPFj5fAP/WXDOQ3HbsCA0QhFjUZ69WreYmxH
bKysMHAgqQE1SG/qhOdvcbLGuNuMUtokVSBWHg2WBJXltq1i02KHYhJMGhS0uv6a
kWI8iIFjZe5/YrRc6pxfZoEb3SvK5JOZCrw5BuNrFmg09yZ4FfzbCBSSZA/iVWyN
kFvkezrKN6msNC7sUEpTPOuHgqK6If2t2B5sXmZ5EsfuF0YvDnHipiEnvnBIFAiE
qfxrwLxcqZzhVoY9Vra+CSuutC8GmHGgahaRc5o8TtsI6NlKMwxv/98MmIkWK+Md
E6lmK2k50hAb
=IvBr
-----END PGP SIGNATURE-----
--- End Message ---
