Investigate libxslt vulnerabilities patched in USN-4164-1

[flavorjones]

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:

• https://usn.ubuntu.com/4164-1/
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html
• https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

---

Summary (2019-11-17)

These vulnerabilities are patched in libxslt v1.1.34 which is vendored in Nokogiri v1.10.5 and later.

Present in: Nokogiri <= v1.10.4

Advisory: upgrade to Nokogiri v1.10.5 or later

---

History of this notification:

• 2019-10-22: USN-4164-1 published by Canonical
• 2019-10-31: v1.10.5 released as a maintenance update
• 2019-11-06: email notification to maintainer about the USN
• 2019-11-17: this github issue created
• 2019-11-17: analysis, advice, and security noitifcations posted

[flavorjones]

CVE-2019-13117

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
could allow an attacker to discern whether a byte on the stack contains the
characters A, a, I, i, or 0, or any other character.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
v1.1.34
v1.1.34-rc2

[flavorjones]

CVE-2019-13118

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html

Priority: Low

Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
xsl:number instruction was too narrow and an invalid character/length
combination could be passed to xsltNumberFormatDecimal, leading to a read
of uninitialized stack data

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains 6ce8de69330783977dd14f6569419489875fb71b
v1.1.34
v1.1.34-rc2

[flavorjones]

CVE-2019-18197

https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html

Priority: Medium

Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
reset under certain circumstances. If the relevant memory area happened to
be freed and reused in a certain way, a bounds check could fail and memory
outside a buffer could be written to, or uninitialized data could be
disclosed.

Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

This patch is present in libxslt 1.1.34:

libxslt $ git tag --contains 2232473733b7313d67de8836ea3b29eec6e8e285
v1.1.34
v1.1.34-rc2

[flavorjones]

Summary

All three CVEs are patched in libxslt 1.1.34, and so these CVEs are addressed in v1.10.5 courtesy of commit 43a1753

Actions

• update changelog to indicate security aspects of the version
• update nokogiri.org changelog
• update Tidelift changelog
• notify mailing lists: email nokogiri-talk, ruby-talk, ruby-security-ann@googlegroups.com, oss-security@lists.openwall.com