Fedora has issued an advisory today (April 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/342ZTGQCOLK4EMJYROXHMDXITBWJISIU/ The upstream ticket and patch are linked from the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1564252
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Assignee: shlomif => smelrorCC: (none) => smelror
Advisory ======== A new, potential integer overflow security issue was discovered in Boost.Regex. This update uses a patch from Boost that fixes this potential issue. References ========== https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/342ZTGQCOLK4EMJYROXHMDXITBWJISIU/ https://bugzilla.redhat.com/show_bug.cgi?id=1564252 https://svn.boost.org/trac10/ticket/13036 Files ===== Uploaded to 6/core/updates_testing boost-build-1.60.0-6.1.mga6 boost-devel-doc-1.60.0-6.1.mga6 boost-examples-1.60.0-6.1.mga6 boost-bjam-1.60.0-6.1.mga6 boost-debuginfo-1.60.0-6.1.mga6 boost-doctools-1.60.0-6.1.mga6 lib64boost_atomic1.60.0-1.60.0-6.1.mga6 lib64boost_chrono1.60.0-1.60.0-6.1.mga6 lib64boost_container1.60.0-1.60.0-6.1.mga6 lib64boost_context1.60.0-1.60.0-6.1.mga6 lib64boost_coroutine1.60.0-1.60.0-6.1.mga6 lib64boost_date_time1.60.0-1.60.0-6.1.mga6 lib64boost-devel-1.60.0-6.1.mga6 lib64boost_filesystem1.60.0-1.60.0-6.1.mga6 lib64boost_graph1.60.0-1.60.0-6.1.mga6 lib64boost-graph-mpi1.60.0-1.60.0-6.1.mga6 lib64boost-graph-mpich1.60.0-1.60.0-6.1.mga6 lib64boost_iostreams1.60.0-1.60.0-6.1.mga6 lib64boost_locale1.60.0-1.60.0-6.1.mga6 lib64boost_log1.60.0-1.60.0-6.1.mga6 lib64boost_math1.60.0-1.60.0-6.1.mga6 lib64boost-mpich1.60.0-1.60.0-6.1.mga6 lib64boost-mpich-devel-1.60.0-6.1.mga6 lib64boost-mpich-python1.60.0-1.60.0-6.1.mga6 lib64boost-mpi-python1.60.0-1.60.0-6.1.mga6 lib64boost-openmpi1.60.0-1.60.0-6.1.mga6 lib64boost-openmpi-devel-1.60.0-6.1.mga6 lib64boost_prg_exec_monitor1.60.0-1.60.0-6.1.mga6 lib64boost_program_options1.60.0-1.60.0-6.1.mga6 lib64boost_python1.60.0-1.60.0-6.1.mga6 lib64boost-python3_1.60.0-1.60.0-6.1.mga6 lib64boost_random1.60.0-1.60.0-6.1.mga6 lib64boost_regex1.60.0-1.60.0-6.1.mga6 lib64boost_serialization1.60.0-1.60.0-6.1.mga6 lib64boost_signals1.60.0-1.60.0-6.1.mga6 lib64boost-static-devel-1.60.0-6.1.mga6 lib64boost_system1.60.0-1.60.0-6.1.mga6 lib64boost_thread1.60.0-1.60.0-6.1.mga6 lib64boost_timer1.60.0-1.60.0-6.1.mga6 lib64boost_type_erasure1.60.0-1.60.0-6.1.mga6 lib64boost_unit_test_framework1.60.0-1.60.0-6.1.mga6 lib64boost_wave1.60.0-1.60.0-6.1.mga6 lib64boost_wserialization1.60.0-1.60.0-6.1.mga6 from boost-1.60.0-6.1.src.rpm
Assignee: smelror => qa-bugs
Mageia 6, x86_64 Several boost 1.60 packages already installed. Added those that were missing to ensure all files were in place before updating. The howto documentation at https://www.boost.org/doc/libs/1_64_0/more/getting_started/unix-variants.html looks pretty clear so I shall check the completeness of the installation and try out the simple starter examples then update. There are reproducers from RedHat (Cuda 9) and the Boost site for two issues. @Stig: If I read this correctly the update addresses the second one only. Is that correct? Continuing later.
CC: (none) => tarazed25
Len, Yes, this update only contains the fix for the integer overflow and not the fix for CUDA. Cheers, Stig
Thanks Stig. Google quote: "Boost is a set of libraries for the C++ programming language that provide support for tasks and structures such as linear algebra, pseudorandom number generation, multithreading, image processing, regular expressions, and unit testing. It contains over eighty individual libraries." *Tests before updating* PoC at https://svn.boost.org/trac10/ticket/13036#no1 bug_13036.cc $ g++ -I/usr/include/boost bug_13036.cc -o bug /tmp/ccyIIzRq.o: In function `boost::basic_regex<char, boost::regex_traits<char, boost::cpp_regex_traits<char> > >::assign(char const*, char const*, unsigned int)': bug_13036.cc:(.text._ZN5boost11basic_regexIcNS_12regex_traitsIcNS_16cpp_regex_tr ........... collect2: error: ld returned 1 exit status Example from the "getting started" site: $ g++ -I/usr/include/boost test1.cc -o test1 $ echo 1 2 3 | ./test1 3 6 9 Running a similar command on the subject.cc file from the attached tarball results in regex errors as with the PoC file.
Created attachment 10108 [details] PoC to demonstrate regex integer overflow $ g++ -I /usr/include/boost bug_13036.cc -o bug
Created attachment 10109 [details] Two simple utility test files
Note that boost comes with a large set of examples, some of which are copyrighted under the Boost Software Licence. Shall have a look at those later.
Updated all the boost packages and tried the bug_13036.cc reproducer and saw exactly the same error message and the same with the other regex test. Help!
I had to double check to see if the patch was actually applied and it is. Have no idea why the reproducer shows the same behaviour. It states it was compiled with an older version of GCC. Don't know if that has anything to do with it. Cheers, Stig
Thanks for checking Stig. If our gcc suite is more up-to-date it is hard to see how the version could matter. There is no confusion is there, between patches I mean? It looks like the first responder to the bug was using a 32-bit system. His patch was rejected by John Maddock and replaced because he did not like the use of unsigned integers. Presumably it is his patch which was used (no offence intended - just clutching at straws). I tried a different partition and reinstalled everything from scratch and updated again. Still the same failure. We may have to reach out to upstream, or fix it ourselves.
@Stig: Apologies for that silly remark in comment 11. Delving into the bowels of boost I did see the applied patch in /usr/include/boost/regex/v4/perl_matcher_common.hpp. And looking at the error stack from the PoC test I do not think the failure has anything to do with this section of code. What stands out is undefined reference to `boost::basic_regex<char, boost::regex_traits<char, boost::cpp_regex_traits<char> which implies perhaps that I am not using boost in the correct way. Something missing in the environment perhaps? The subject.cc file from the tutorial produces a huge error stack as well with: undefined reference to `boost::re_detail_106000::perl_matcher<__gnu_cxx::__normal_iterator<char const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> "undefined reference" usually implies a missing include file I think, or is it a namespace problem (shrug).
Tried playing around with include files, to no avail - bull in a china shop stuff.
So what if the documentation is misleading, or just plain wrong or maybe I misread it? How would one go about compiling something normally? If all the includes are in place then maybe the compiler cannot find the libraries? $ g++ -I/usr/include/boost -lboost_regex bug_13036.cc -o bug $ <bingo!> $ g++ -I/usr/include/boost -lboost_regex subject.cc -o subject $ file subject subject: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fb758ba893bc41706cd2e7ec2f737025b5284dec, not stripped $ ./subject < testmessage Will Success Spoil Rock Hunter?
I was about to say that you forgot to do the -lfoo to link to the library, glad to see you figured that out. That's normal.
Tried the PoC on a pre-updated system again but could not get the compiled program to fail. However, taking note of the modification suggested for 64-bit systems the executable hogged one of the cpus at 100% for several seconds then failed. The edit was boost::regex expr(std::string(3037000500, '.')); // force overflow; $ ./bug terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Aborted (core dumped) On an updated system the behaviour of the recompiled script is the same, so we cannot conclude anything from that test but at least we know that the patch has been applied.
This is about as far as I am likely to go with boost. It should get the OK. And, after a second look at the documentation I have to confess that I did misread it or missed a bit. It is all quite clear.
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0220.html
Status: NEW => RESOLVEDResolution: (none) => FIXED