Bug 6623 - boost new security issue CVE-2012-2677
: boost new security issue CVE-2012-2677
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/504070/
: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-29 18:19 CEST by David Walser
Modified: 2012-07-10 01:33 CEST (History)
3 users (show)

See Also:
Source RPM: boost-1.48.0-9.mga2.src.rpm
CVE:
Status comment:


Attachments
test_bug_6701.cpp (753 bytes, text/x-c++src)
2012-07-03 17:18 CEST, David Walser
Details
test_bug_6701-mga1.cpp (702 bytes, text/x-c++src)
2012-07-03 17:19 CEST, David Walser
Details

Description David Walser 2012-06-29 18:19:04 CEST
Fedora has issued an advisory on June 22:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html

Patched package uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated boost packages fix security vulnerability:

A security flaw was found in the way ordered_malloc() routine
implementation in Boost, the free peer-reviewed portable C++ source
libraries, performed 'next-size' and 'max_size' parameters sanitization,
when allocating memory. If an application, using the Boost C++ source
libraries for memory allocation, was missing application-level checks
for safety of 'next_size' and 'max_size' values, a remote attacker could
provide a specially-crafted application-specific file (requiring runtime
memory allocation it to be processed correctly) that, when opened would
lead to that application crash, or, potentially arbitrary code execution
with the privileges of the user running the application (CVE-2012-2677).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2677
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html
========================

Updated packages in core/updates_testing:
========================
libboost_date_time1.44.0-1.44.0-6.1.mga1
libboost_filesystem1.44.0-1.44.0-6.1.mga1
libboost_graph1.44.0-1.44.0-6.1.mga1
libboost_iostreams1.44.0-1.44.0-6.1.mga1
libboost_math_c99_1.44.0-1.44.0-6.1.mga1
libboost_math_c99f1.44.0-1.44.0-6.1.mga1
libboost_math_c99l1.44.0-1.44.0-6.1.mga1
libboost_math_tr1_1.44.0-1.44.0-6.1.mga1
libboost_math_tr1f1.44.0-1.44.0-6.1.mga1
libboost_math_tr1l1.44.0-1.44.0-6.1.mga1
libboost_prg_exec_monitor1.44.0-1.44.0-6.1.mga1
libboost_program_options1.44.0-1.44.0-6.1.mga1
libboost_python1.44.0-1.44.0-6.1.mga1
libboost_regex1.44.0-1.44.0-6.1.mga1
libboost_serialization1.44.0-1.44.0-6.1.mga1
libboost_signals1.44.0-1.44.0-6.1.mga1
libboost_system1.44.0-1.44.0-6.1.mga1
libboost_thread1.44.0-1.44.0-6.1.mga1
libboost_unit_test_framework1.44.0-1.44.0-6.1.mga1
libboost_wave1.44.0-1.44.0-6.1.mga1
libboost_wserialization1.44.0-1.44.0-6.1.mga1
libboost_random1.44.0-1.44.0-6.1.mga1
libboost-devel-1.44.0-6.1.mga1
libboost-devel-doc-1.44.0-6.1.mga1
libboost-static-devel-1.44.0-6.1.mga1
boost-examples-1.44.0-6.1.mga1
libboost_chrono1.48.0-1.48.0-9.1.mga2
libboost_date_time1.48.0-1.48.0-9.1.mga2
libboost_filesystem1.48.0-1.48.0-9.1.mga2
libboost_graph1.48.0-1.48.0-9.1.mga2
libboost_iostreams1.48.0-1.48.0-9.1.mga2
libboost_locale1.48.0-1.48.0-9.1.mga2
libboost_math1.48.0-1.48.0-9.1.mga2
libboost_prg_exec_monitor1.48.0-1.48.0-9.1.mga2
libboost_program_options1.48.0-1.48.0-9.1.mga2
libboost_python1.48.0-1.48.0-9.1.mga2
libboost_random1.48.0-1.48.0-9.1.mga2
libboost_regex1.48.0-1.48.0-9.1.mga2
libboost_serialization1.48.0-1.48.0-9.1.mga2
libboost_signals1.48.0-1.48.0-9.1.mga2
libboost_system1.48.0-1.48.0-9.1.mga2
libboost_thread1.48.0-1.48.0-9.1.mga2
libboost_timer1.48.0-1.48.0-9.1.mga2
libboost_unit_test_framework1.48.0-1.48.0-9.1.mga2
libboost_wave1.48.0-1.48.0-9.1.mga2
libboost_wserialization1.48.0-1.48.0-9.1.mga2
libboost-devel-1.48.0-9.1.mga2
boost-devel-doc-1.48.0-9.1.mga2
libboost-static-devel-1.48.0-9.1.mga2
boost-examples-1.48.0-9.1.mga2

from SRPMS:
boost-1.44.0-6.1.mga1.src.rpm
boost-1.48.0-9.1.mga2.src.rpm
Comment 1 David Walser 2012-07-03 17:16:32 CEST
The patch to fix this includes a "reproducer" program that can be used to verify the bug and the fix.  It tested correctly for me on mga1 and mga2 i586.

If you have libboost-devel installed, you can compile the program with g++ and then run the resulting binary.  With the bug present, it will exit with an assertion error.  With the bug fixed, it will produce no output.
Comment 2 David Walser 2012-07-03 17:18:13 CEST
Created attachment 2521 [details]
test_bug_6701.cpp

This is the reproducer program from the original patch.  It works on Mageia 2.
Comment 3 David Walser 2012-07-03 17:19:27 CEST
Created attachment 2522 [details]
test_bug_6701-mga1.cpp

This is a slightly modified version to work with boost 1.44 on Mageia 1.
Comment 4 claire robinson 2012-07-03 19:28:31 CEST
Testing mga1 64

Thanks for the testcase and procedure David, that really saves some time.

To get g++
# urpmi gcc-c++

Before
------
$ g++ test_bug_6701-mga1.cpp 
$ ./a.out
a.out: test_bug_6701-mga1.cpp:21: int main(): Assertion `std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size()' failed.
Aborted


After
-----
$ g++ test_bug_6701-mga1.cpp 
$ ./a.out
$ 

Not sure how to properly test libboost yet, looking into libboost-examples.
Comment 5 Dave Hodgins 2012-07-05 01:33:30 CEST
Testing complete on Mageia 1 i586.

Will test Mageia 2 i586 shortly.
Comment 6 Dave Hodgins 2012-07-05 02:00:28 CEST
Testing complete on Mageia 2 i586.

Also added mga1-64-OK based on comment 4. :-)
Comment 7 claire robinson 2012-07-05 15:36:41 CEST
Testing complete mga2 64

This doesn't seem affected but no regression after the update


Validating

See comment 0 for Advisory and SRPM's for mga1 and 2.

Could sysadmin please push from core/updates_testing to core/updates

This also seems affected by bug 2317

----------------------------------------
Running checks for "lib64boost-devel" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is lib64boost-devel-1.48.0-9.mga2
Latest version found in "Core Updates Testing" is lib64boost-devel-1.48.0-9.1.mga2
----------------------------------------
The following packages will require linking:

lib64uClibc-zlib-devel-1.2.6-1.mga2 (Core Release)
lib64zlib-devel-1.2.6-1.mga2 (Core Release)
----------------------------------------

On mga1 it seems to pick up on some which most packages are..

----------------------------------------
Running checks for "lib64boost-devel" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is lib64boost-devel-1.44.0-6.mga1
Latest version found in "Core Updates Testing" is lib64boost-devel-1.44.0-6.1.mga1
----------------------------------------
The following packages will require linking:

notification-daemon-0.5.0-2.mga1 (Core 32bit Release)
notification-daemon-0.5.0-2.mga1 (Core Release)
xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release)
xfce4-notifyd-0.2.1-3.mga1 (Core Release)
----------------------------------------
Done.
Comment 8 David Walser 2012-07-05 15:39:10 CEST
Why would any packages require linking when no new Requires/Suggests were added to the package?
Comment 9 claire robinson 2012-07-05 15:57:42 CEST
It is recursive requires David. To properly find the minimum number of packages requiring linking depcheck would need completely rewriting but that seems self defeating. As it is it uses urpmq --whatrequires-recursive ..

What it would need to do to find minimal packages would be to distinguish added recursive requires from added suggests and then search only for added recursive requires of the added suggests instead of searching without the --no-suggests option. Then add those to the results of finding added recursive requires.

It is more sensible to spend that effort in fixing the actual bug rather than improving the workaround though.
Comment 10 claire robinson 2012-07-05 15:58:26 CEST
sorry --requires-recursive not --whatrequires-recursive
Comment 11 David Walser 2012-07-05 16:31:31 CEST
So additional requires or suggests must have been added to dependencies of boost in other updates?  Oh that crazy Bug 2317 :o)
Comment 12 David Walser 2012-07-05 16:33:07 CEST
(In reply to comment #11)
> So additional requires or suggests must have been added to dependencies of
> boost in other updates?  Oh that crazy Bug 2317 :o)

But wait, if that was true, wouldn't they have been linked already?
Comment 13 claire robinson 2012-07-05 16:42:38 CEST
These ones have cropped up before so when others are linked this will not be directly affected. It's the links which are the problem rather than any specific package. Once done then anything affected by them will be OK.

I think Thomas is trying to wait and see what happens with bug 2317 as there are some with an enormous number of links required.
Comment 14 claire robinson 2012-07-05 17:56:53 CEST
new depcheck found no links required so removing the depends.
Comment 15 Thomas Backlund 2012-07-10 01:33:20 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0151

Note You need to log in before you can comment on or make changes to this bug.