Multiple heap-based buffer overflows in the rc4 (1) encryption (aka exsltCryptoRc4EncryptFunction) and (2) decryption (aka exsltCryptoRc4DecryptFunction) functions in crypto.c in libexslt in libxslt 1.1.8 through 1.1.24 allow context-dependent attackers to execute arbitrary code via an XML file containing a long string as "an argument in the XSL input."
| Software | From | Fixed in |
|---|---|---|
| xmlsoft / libxslt | 1.1.10 | 1.1.10.x |
| xmlsoft / libxslt | 1.1.11 | 1.1.11.x |
| xmlsoft / libxslt | 1.1.12 | 1.1.12.x |
| xmlsoft / libxslt | 1.1.13 | 1.1.13.x |
| xmlsoft / libxslt | 1.1.14 | 1.1.14.x |
| xmlsoft / libxslt | 1.1.15 | 1.1.15.x |
| xmlsoft / libxslt | 1.1.16 | 1.1.16.x |
| xmlsoft / libxslt | 1.1.17 | 1.1.17.x |
| xmlsoft / libxslt | 1.1.18 | 1.1.18.x |
| xmlsoft / libxslt | 1.1.19 | 1.1.19.x |
| xmlsoft / libxslt | 1.1.20 | 1.1.20.x |
| xmlsoft / libxslt | 1.1.21 | 1.1.21.x |
| xmlsoft / libxslt | 1.1.22 | 1.1.22.x |
| xmlsoft / libxslt | 1.1.23 | 1.1.23.x |
| xmlsoft / libxslt | 1.1.24 | 1.1.24.x |
| xmlsoft / libxslt | 1.1.8 | 1.1.8.x |
| xmlsoft / libxslt | 1.1.9 | 1.1.9.x |