Bug 6623

Summary: boost new security issue CVE-2012-2677
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/504070/
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK mga2-64-OK
Source RPM: boost-1.48.0-9.mga2.src.rpm CVE:
Status comment:
Attachments: test_bug_6701.cpp
test_bug_6701-mga1.cpp

Description David Walser 2012-06-29 18:19:04 CEST 
Fedora has issued an advisory on June 22:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated boost packages fix security vulnerability:

A security flaw was found in the way ordered_malloc() routine
implementation in Boost, the free peer-reviewed portable C++ source
libraries, performed 'next-size' and 'max_size' parameters sanitization,
when allocating memory. If an application, using the Boost C++ source
libraries for memory allocation, was missing application-level checks
for safety of 'next_size' and 'max_size' values, a remote attacker could
provide a specially-crafted application-specific file (requiring runtime
memory allocation it to be processed correctly) that, when opened would
lead to that application crash, or, potentially arbitrary code execution
with the privileges of the user running the application (CVE-2012-2677).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2677
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html
========================

Updated packages in core/updates_testing:
========================
libboost_date_time1.44.0-1.44.0-6.1.mga1
libboost_filesystem1.44.0-1.44.0-6.1.mga1
libboost_graph1.44.0-1.44.0-6.1.mga1
libboost_iostreams1.44.0-1.44.0-6.1.mga1
libboost_math_c99_1.44.0-1.44.0-6.1.mga1
libboost_math_c99f1.44.0-1.44.0-6.1.mga1
libboost_math_c99l1.44.0-1.44.0-6.1.mga1
libboost_math_tr1_1.44.0-1.44.0-6.1.mga1
libboost_math_tr1f1.44.0-1.44.0-6.1.mga1
libboost_math_tr1l1.44.0-1.44.0-6.1.mga1
libboost_prg_exec_monitor1.44.0-1.44.0-6.1.mga1
libboost_program_options1.44.0-1.44.0-6.1.mga1
libboost_python1.44.0-1.44.0-6.1.mga1
libboost_regex1.44.0-1.44.0-6.1.mga1
libboost_serialization1.44.0-1.44.0-6.1.mga1
libboost_signals1.44.0-1.44.0-6.1.mga1
libboost_system1.44.0-1.44.0-6.1.mga1
libboost_thread1.44.0-1.44.0-6.1.mga1
libboost_unit_test_framework1.44.0-1.44.0-6.1.mga1
libboost_wave1.44.0-1.44.0-6.1.mga1
libboost_wserialization1.44.0-1.44.0-6.1.mga1
libboost_random1.44.0-1.44.0-6.1.mga1
libboost-devel-1.44.0-6.1.mga1
libboost-devel-doc-1.44.0-6.1.mga1
libboost-static-devel-1.44.0-6.1.mga1
boost-examples-1.44.0-6.1.mga1
libboost_chrono1.48.0-1.48.0-9.1.mga2
libboost_date_time1.48.0-1.48.0-9.1.mga2
libboost_filesystem1.48.0-1.48.0-9.1.mga2
libboost_graph1.48.0-1.48.0-9.1.mga2
libboost_iostreams1.48.0-1.48.0-9.1.mga2
libboost_locale1.48.0-1.48.0-9.1.mga2
libboost_math1.48.0-1.48.0-9.1.mga2
libboost_prg_exec_monitor1.48.0-1.48.0-9.1.mga2
libboost_program_options1.48.0-1.48.0-9.1.mga2
libboost_python1.48.0-1.48.0-9.1.mga2
libboost_random1.48.0-1.48.0-9.1.mga2
libboost_regex1.48.0-1.48.0-9.1.mga2
libboost_serialization1.48.0-1.48.0-9.1.mga2
libboost_signals1.48.0-1.48.0-9.1.mga2
libboost_system1.48.0-1.48.0-9.1.mga2
libboost_thread1.48.0-1.48.0-9.1.mga2
libboost_timer1.48.0-1.48.0-9.1.mga2
libboost_unit_test_framework1.48.0-1.48.0-9.1.mga2
libboost_wave1.48.0-1.48.0-9.1.mga2
libboost_wserialization1.48.0-1.48.0-9.1.mga2
libboost-devel-1.48.0-9.1.mga2
boost-devel-doc-1.48.0-9.1.mga2
libboost-static-devel-1.48.0-9.1.mga2
boost-examples-1.48.0-9.1.mga2

from SRPMS:
boost-1.44.0-6.1.mga1.src.rpm
boost-1.48.0-9.1.mga2.src.rpm
David Walser 2012-06-29 18:19:18 CEST

Whiteboard: (none) => MGA1TOO

Comment 1 David Walser 2012-07-03 17:16:32 CEST 
The patch to fix this includes a "reproducer" program that can be used to verify the bug and the fix.  It tested correctly for me on mga1 and mga2 i586.

If you have libboost-devel installed, you can compile the program with g++ and then run the resulting binary.  With the bug present, it will exit with an assertion error.  With the bug fixed, it will produce no output.
Comment 2 David Walser 2012-07-03 17:18:13 CEST 
Created attachment 2521 [details]
test_bug_6701.cpp

This is the reproducer program from the original patch.  It works on Mageia 2.
Comment 3 David Walser 2012-07-03 17:19:27 CEST 
Created attachment 2522 [details]
test_bug_6701-mga1.cpp

This is a slightly modified version to work with boost 1.44 on Mageia 1.
Comment 4 claire robinson 2012-07-03 19:28:31 CEST 
Testing mga1 64

Thanks for the testcase and procedure David, that really saves some time.

To get g++
# urpmi gcc-c++

Before
------
$ g++ test_bug_6701-mga1.cpp 
$ ./a.out
a.out: test_bug_6701-mga1.cpp:21: int main(): Assertion `std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size()' failed.
Aborted


After
-----
$ g++ test_bug_6701-mga1.cpp 
$ ./a.out
$ 

Not sure how to properly test libboost yet, looking into libboost-examples.
Comment 5 Dave Hodgins 2012-07-05 01:33:30 CEST 
Testing complete on Mageia 1 i586.

Will test Mageia 2 i586 shortly.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO, mga1-32-OK

Comment 6 Dave Hodgins 2012-07-05 02:00:28 CEST 
Testing complete on Mageia 2 i586.

Also added mga1-64-OK based on comment 4. :-)

Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK

Comment 7 claire robinson 2012-07-05 15:36:41 CEST 
Testing complete mga2 64

This doesn't seem affected but no regression after the update


Validating

See comment 0 for Advisory and SRPM's for mga1 and 2.

Could sysadmin please push from core/updates_testing to core/updates

This also seems affected by bug 2317

----------------------------------------
Running checks for "lib64boost-devel" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64boost-devel-1.48.0-9.mga2
Latest version found in "Core Updates Testing" is lib64boost-devel-1.48.0-9.1.mga2
----------------------------------------
The following packages will require linking:

lib64uClibc-zlib-devel-1.2.6-1.mga2 (Core Release)
lib64zlib-devel-1.2.6-1.mga2 (Core Release)
----------------------------------------

On mga1 it seems to pick up on some which most packages are..

----------------------------------------
Running checks for "lib64boost-devel" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is lib64boost-devel-1.44.0-6.mga1
Latest version found in "Core Updates Testing" is lib64boost-devel-1.44.0-6.1.mga1
----------------------------------------
The following packages will require linking:

notification-daemon-0.5.0-2.mga1 (Core 32bit Release)
notification-daemon-0.5.0-2.mga1 (Core Release)
xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release)
xfce4-notifyd-0.2.1-3.mga1 (Core Release)
----------------------------------------
Done.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All
Whiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK mga2-64-OK

Comment 8 David Walser 2012-07-05 15:39:10 CEST 
Why would any packages require linking when no new Requires/Suggests were added to the package?
Comment 9 claire robinson 2012-07-05 15:57:42 CEST 
It is recursive requires David. To properly find the minimum number of packages requiring linking depcheck would need completely rewriting but that seems self defeating. As it is it uses urpmq --whatrequires-recursive ..

What it would need to do to find minimal packages would be to distinguish added recursive requires from added suggests and then search only for added recursive requires of the added suggests instead of searching without the --no-suggests option. Then add those to the results of finding added recursive requires.

It is more sensible to spend that effort in fixing the actual bug rather than improving the workaround though.

Depends on: (none) => 2317

Comment 10 claire robinson 2012-07-05 15:58:26 CEST 
sorry --requires-recursive not --whatrequires-recursive
Comment 11 David Walser 2012-07-05 16:31:31 CEST 
So additional requires or suggests must have been added to dependencies of boost in other updates?  Oh that crazy Bug 2317 :o)
Comment 12 David Walser 2012-07-05 16:33:07 CEST 
(In reply to comment #11)
> So additional requires or suggests must have been added to dependencies of
> boost in other updates?  Oh that crazy Bug 2317 :o)

But wait, if that was true, wouldn't they have been linked already?
Comment 13 claire robinson 2012-07-05 16:42:38 CEST 
These ones have cropped up before so when others are linked this will not be directly affected. It's the links which are the problem rather than any specific package. Once done then anything affected by them will be OK.

I think Thomas is trying to wait and see what happens with bug 2317 as there are some with an enormous number of links required.
Comment 14 claire robinson 2012-07-05 17:56:53 CEST 
new depcheck found no links required so removing the depends.

Depends on: 2317 => (none)

Comment 15 Thomas Backlund 2012-07-10 01:33:20 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0151

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED