libxslt-1.1.32-5.el8

エラータID: AXSA:2021-1107:01

Release date: 
Wednesday, January 6, 2021 - 12:44
Subject: 
libxslt-1.1.32-5.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

libxslt is a library for transforming XML files into other textual formats (including HTML, plain text, and other XML representations of the underlying data) using the standard XSLT stylesheet transformation mechanism.

Security Fix(es):

* libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL (CVE-2019-11068)

* libxslt: use after free in xsltCopyText in transform.c could lead to information disclosure (CVE-2019-18197)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-11068
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVE-2019-18197
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Solution: 

Update packages.

CVEs: 
CVE-2019-11068
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVE-2019-18197
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Additional Info: 

N/A

Download: 

SRPMS
  1. libxslt-1.1.32-5.el8.src.rpm
    MD5: 1342c5aaa48fc731673c515095bed199
    SHA-256: 29f43ffd1b4604d222e69839f1ddfbd89268dac2c4c21ace2fa26b7ebe9936b7
    Size: 3.28 MB

Asianux Server 8 for x86_64
  1. libxslt-1.1.32-5.el8.x86_64.rpm
    MD5: 211ef3df1deb5d2ebf1534c61d112914
    SHA-256: a5ef2af499ca1dba65163577c5eb0b7e6469aad90c490c651b1b26775326a123
    Size: 248.34 kB
  2. libxslt-devel-1.1.32-5.el8.x86_64.rpm
    MD5: 2588c26ed789e108c1761673b500825a
    SHA-256: 02b2eef478ab8fda42eba014ddbab018b582da891008d003db6ea2f4e3958586
    Size: 321.50 kB
  3. libxslt-1.1.32-5.el8.i686.rpm
    MD5: cf4361b0956c6e2d30c8fe3aa154c4ad
    SHA-256: 50026a7d65c49daf7bff6e9ce1540832adc1ca5648af4904ba963bc69e396654
    Size: 261.43 kB
  4. libxslt-devel-1.1.32-5.el8.i686.rpm
    MD5: 0f163f605eafa4c78e0ba6306478a8ae
    SHA-256: 7d663173cece559a8293dc6cecb25f734782c9b0b1b949dd6d335826e32eeb97
    Size: 321.52 kB