Apple iOS 至 12.3.2 libxslt 输入验证漏洞

CVE编号

CVE-2019-13118

利用情况

暂无

补丁情况

官方补丁

披露时间

2019-07-01

漏洞描述

在libxslt 1.1.33中的numbers.c中，保存xsl：number指令的分组字符的类型太窄，可能将无效的字符/长度组合传递给xsltNumberFormatDecimal，从而导致读取未初始化的堆栈数据。

解决建议

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接：
https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b

参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
http://seclists.org/fulldisclosure/2019/Aug/11
http://seclists.org/fulldisclosure/2019/Aug/13
http://seclists.org/fulldisclosure/2019/Aug/14
http://seclists.org/fulldisclosure/2019/Aug/15
http://seclists.org/fulldisclosure/2019/Jul/22
http://seclists.org/fulldisclosure/2019/Jul/23
http://seclists.org/fulldisclosure/2019/Jul/24
http://seclists.org/fulldisclosure/2019/Jul/26
http://seclists.org/fulldisclosure/2019/Jul/31
http://seclists.org/fulldisclosure/2019/Jul/37
http://seclists.org/fulldisclosure/2019/Jul/38
http://www.openwall.com/lists/oss-security/2019/11/17/2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f656941948...
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db560...
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61...
https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
https://lists.fedoraproject.org/archives/list/[email protected]...
https://oss-fuzz.com/testcase-detail/5197371471822848
https://seclists.org/bugtraq/2019/Aug/21
https://seclists.org/bugtraq/2019/Aug/22
https://seclists.org/bugtraq/2019/Aug/23
https://seclists.org/bugtraq/2019/Aug/25
https://seclists.org/bugtraq/2019/Jul/35
https://seclists.org/bugtraq/2019/Jul/36
https://seclists.org/bugtraq/2019/Jul/37
https://seclists.org/bugtraq/2019/Jul/40
https://seclists.org/bugtraq/2019/Jul/41
https://seclists.org/bugtraq/2019/Jul/42
https://security.netapp.com/advisory/ntap-20190806-0004/
https://security.netapp.com/advisory/ntap-20200122-0003/
https://support.apple.com/kb/HT210346
https://support.apple.com/kb/HT210348
https://support.apple.com/kb/HT210351
https://support.apple.com/kb/HT210353
https://support.apple.com/kb/HT210356
https://support.apple.com/kb/HT210357
https://support.apple.com/kb/HT210358
https://usn.ubuntu.com/4164-1/
https://www.oracle.com/security-alerts/cpujan2020.html

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	xmlsoft	libxslt	1.1.33	-
	运行在以下环境
	系统	alpine_3.10	libxslt	*		Up to (excluding) 1.1.33-r3
	运行在以下环境
	系统	alpine_3.11	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	alpine_3.12	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	alpine_3.13	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	alpine_3.14	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	alpine_3.15	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	alpine_3.8	libxslt	*		Up to (excluding) 1.1.33-r3
	运行在以下环境
	系统	alpine_3.9	libxslt	*		Up to (excluding) 1.1.33-r3
	运行在以下环境
	系统	alpine_edge	libxslt	*		Up to (excluding) 1.1.34-r0
	运行在以下环境
	系统	amazon_2	libxslt	*		Up to (excluding) 11.0.6+10-1.amzn2
	运行在以下环境
	系统	debian_10	libxslt	*		Up to (excluding) 1.1.32-2.1~deb10u1
	运行在以下环境
	系统	debian_8	libxslt	*		Up to (excluding) 1.1.28-2+deb8u1
	运行在以下环境
	系统	debian_9	libxslt	*		Up to (excluding) 1.1.29-2.1+deb9u1
	运行在以下环境
	系统	fedora_31	libxslt	*		Up to (excluding) 1.1.33-4.fc31
	运行在以下环境
	系统	opensuse_Leap_15.1	libxslt	*		Up to (excluding) 1.1.32-lp151.3.6.1
	运行在以下环境
	系统	suse_12_SP4	libxslt	*		Up to (excluding) 1.1.28-17.6.1
	运行在以下环境
	系统	ubuntu_14.04	libxslt	*		Up to (excluding) 1.1.28-2ubuntu0.2+esm1
	运行在以下环境
	系统	ubuntu_16.04	libxslt	*		Up to (excluding) 1.1.28-2.1ubuntu0.3
	运行在以下环境
	系统	ubuntu_18.04	libxslt	*		Up to (excluding) 1.1.29-5ubuntu0.2
查看完整数据

阿里云评分 3.1

• 攻击路径 远程
• 攻击复杂度 复杂
• 权限要求 无需权限
• 影响范围 有限影响
• EXP成熟度 未验证
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 100

CWE-ID 漏洞类型 CWE-843 使用不兼容类型访问资源（类型混淆）