Fedora has issued an advisory on June 22: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html Patched package uploaded for Mageia 1, Mageia 2, and Cauldron. Advisory: ======================== Updated boost packages fix security vulnerability: A security flaw was found in the way ordered_malloc() routine implementation in Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size' and 'max_size' parameters sanitization, when allocating memory. If an application, using the Boost C++ source libraries for memory allocation, was missing application-level checks for safety of 'next_size' and 'max_size' values, a remote attacker could provide a specially-crafted application-specific file (requiring runtime memory allocation it to be processed correctly) that, when opened would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application (CVE-2012-2677). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2677 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082977.html ======================== Updated packages in core/updates_testing: ======================== libboost_date_time1.44.0-1.44.0-6.1.mga1 libboost_filesystem1.44.0-1.44.0-6.1.mga1 libboost_graph1.44.0-1.44.0-6.1.mga1 libboost_iostreams1.44.0-1.44.0-6.1.mga1 libboost_math_c99_1.44.0-1.44.0-6.1.mga1 libboost_math_c99f1.44.0-1.44.0-6.1.mga1 libboost_math_c99l1.44.0-1.44.0-6.1.mga1 libboost_math_tr1_1.44.0-1.44.0-6.1.mga1 libboost_math_tr1f1.44.0-1.44.0-6.1.mga1 libboost_math_tr1l1.44.0-1.44.0-6.1.mga1 libboost_prg_exec_monitor1.44.0-1.44.0-6.1.mga1 libboost_program_options1.44.0-1.44.0-6.1.mga1 libboost_python1.44.0-1.44.0-6.1.mga1 libboost_regex1.44.0-1.44.0-6.1.mga1 libboost_serialization1.44.0-1.44.0-6.1.mga1 libboost_signals1.44.0-1.44.0-6.1.mga1 libboost_system1.44.0-1.44.0-6.1.mga1 libboost_thread1.44.0-1.44.0-6.1.mga1 libboost_unit_test_framework1.44.0-1.44.0-6.1.mga1 libboost_wave1.44.0-1.44.0-6.1.mga1 libboost_wserialization1.44.0-1.44.0-6.1.mga1 libboost_random1.44.0-1.44.0-6.1.mga1 libboost-devel-1.44.0-6.1.mga1 libboost-devel-doc-1.44.0-6.1.mga1 libboost-static-devel-1.44.0-6.1.mga1 boost-examples-1.44.0-6.1.mga1 libboost_chrono1.48.0-1.48.0-9.1.mga2 libboost_date_time1.48.0-1.48.0-9.1.mga2 libboost_filesystem1.48.0-1.48.0-9.1.mga2 libboost_graph1.48.0-1.48.0-9.1.mga2 libboost_iostreams1.48.0-1.48.0-9.1.mga2 libboost_locale1.48.0-1.48.0-9.1.mga2 libboost_math1.48.0-1.48.0-9.1.mga2 libboost_prg_exec_monitor1.48.0-1.48.0-9.1.mga2 libboost_program_options1.48.0-1.48.0-9.1.mga2 libboost_python1.48.0-1.48.0-9.1.mga2 libboost_random1.48.0-1.48.0-9.1.mga2 libboost_regex1.48.0-1.48.0-9.1.mga2 libboost_serialization1.48.0-1.48.0-9.1.mga2 libboost_signals1.48.0-1.48.0-9.1.mga2 libboost_system1.48.0-1.48.0-9.1.mga2 libboost_thread1.48.0-1.48.0-9.1.mga2 libboost_timer1.48.0-1.48.0-9.1.mga2 libboost_unit_test_framework1.48.0-1.48.0-9.1.mga2 libboost_wave1.48.0-1.48.0-9.1.mga2 libboost_wserialization1.48.0-1.48.0-9.1.mga2 libboost-devel-1.48.0-9.1.mga2 boost-devel-doc-1.48.0-9.1.mga2 libboost-static-devel-1.48.0-9.1.mga2 boost-examples-1.48.0-9.1.mga2 from SRPMS: boost-1.44.0-6.1.mga1.src.rpm boost-1.48.0-9.1.mga2.src.rpm
Whiteboard: (none) => MGA1TOO
The patch to fix this includes a "reproducer" program that can be used to verify the bug and the fix. It tested correctly for me on mga1 and mga2 i586. If you have libboost-devel installed, you can compile the program with g++ and then run the resulting binary. With the bug present, it will exit with an assertion error. With the bug fixed, it will produce no output.
Created attachment 2521 [details] test_bug_6701.cpp This is the reproducer program from the original patch. It works on Mageia 2.
Created attachment 2522 [details] test_bug_6701-mga1.cpp This is a slightly modified version to work with boost 1.44 on Mageia 1.
Testing mga1 64 Thanks for the testcase and procedure David, that really saves some time. To get g++ # urpmi gcc-c++ Before ------ $ g++ test_bug_6701-mga1.cpp $ ./a.out a.out: test_bug_6701-mga1.cpp:21: int main(): Assertion `std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size()' failed. Aborted After ----- $ g++ test_bug_6701-mga1.cpp $ ./a.out $ Not sure how to properly test libboost yet, looking into libboost-examples.
Testing complete on Mageia 1 i586. Will test Mageia 2 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO, mga1-32-OK
Testing complete on Mageia 2 i586. Also added mga1-64-OK based on comment 4. :-)
Whiteboard: MGA1TOO, mga1-32-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK
Testing complete mga2 64 This doesn't seem affected but no regression after the update Validating See comment 0 for Advisory and SRPM's for mga1 and 2. Could sysadmin please push from core/updates_testing to core/updates This also seems affected by bug 2317 ---------------------------------------- Running checks for "lib64boost-devel" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 2 (Official) for x86_64 Latest version found in "Core Release" is lib64boost-devel-1.48.0-9.mga2 Latest version found in "Core Updates Testing" is lib64boost-devel-1.48.0-9.1.mga2 ---------------------------------------- The following packages will require linking: lib64uClibc-zlib-devel-1.2.6-1.mga2 (Core Release) lib64zlib-devel-1.2.6-1.mga2 (Core Release) ---------------------------------------- On mga1 it seems to pick up on some which most packages are.. ---------------------------------------- Running checks for "lib64boost-devel" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 1 (Official) for x86_64 Latest version found in "Core Release" is lib64boost-devel-1.44.0-6.mga1 Latest version found in "Core Updates Testing" is lib64boost-devel-1.44.0-6.1.mga1 ---------------------------------------- The following packages will require linking: notification-daemon-0.5.0-2.mga1 (Core 32bit Release) notification-daemon-0.5.0-2.mga1 (Core Release) xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release) xfce4-notifyd-0.2.1-3.mga1 (Core Release) ---------------------------------------- Done.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => AllWhiteboard: MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK => MGA1TOO, mga1-32-OK, mga2-32-OK, mga1-64-OK mga2-64-OK
Why would any packages require linking when no new Requires/Suggests were added to the package?
It is recursive requires David. To properly find the minimum number of packages requiring linking depcheck would need completely rewriting but that seems self defeating. As it is it uses urpmq --whatrequires-recursive .. What it would need to do to find minimal packages would be to distinguish added recursive requires from added suggests and then search only for added recursive requires of the added suggests instead of searching without the --no-suggests option. Then add those to the results of finding added recursive requires. It is more sensible to spend that effort in fixing the actual bug rather than improving the workaround though.
Depends on: (none) => 2317
sorry --requires-recursive not --whatrequires-recursive
So additional requires or suggests must have been added to dependencies of boost in other updates? Oh that crazy Bug 2317 :o)
(In reply to comment #11) > So additional requires or suggests must have been added to dependencies of > boost in other updates? Oh that crazy Bug 2317 :o) But wait, if that was true, wouldn't they have been linked already?
These ones have cropped up before so when others are linked this will not be directly affected. It's the links which are the problem rather than any specific package. Once done then anything affected by them will be OK. I think Thomas is trying to wait and see what happens with bug 2317 as there are some with an enormous number of links required.
new depcheck found no links required so removing the depends.
Depends on: 2317 => (none)
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0151
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED