libxslt: dangling pointer in xsltCopyText (CVE-2019-18197)

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-18197
https://security-tracker.debian.org/tracker/CVE-2019-18197

Patch:

https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285

Affected branches:

Edited Oct 31, 2019 by Kevin Daudt

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information