Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw (CVE-2013-0252): boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences. Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid. The package has been patched to fix above security flaw.
PoC: https://svn.boost.org/trac/boost/ticket/7743
SRPM: boost-1.48.0-9.2.mga2.src.rpm ----------------------------------- boost-devel-doc boost-examples lib64boost_chrono1.48.0 lib64boost_date_time1.48.0 lib64boost-devel lib64boost_filesystem1.48.0 lib64boost_graph1.48.0 lib64boost_iostreams1.48.0 lib64boost_locale1.48.0 lib64boost_math1.48.0 lib64boost_prg_exec_monitor1.48.0 lib64boost_program_options1.48.0 lib64boost_python1.48.0 lib64boost_random1.48.0 lib64boost_regex1.48.0 lib64boost_serialization1.48.0 lib64boost_signals1.48.0 lib64boost-static-devel lib64boost_system1.48.0 lib64boost_thread1.48.0 lib64boost_timer1.48.0 lib64boost_unit_test_framework1.48.0 lib64boost_wave1.48.0 lib64boost_wserialization1.48.0
Testing mga2 64 Before ------ Confirmed it is vulnerable Saved the PoC as 9127.cpp Edited it to put each #include on a separate line Installed lib64boost-devel $ g++ 9127.cpp -o 9127 $ ./9127 $ Shows no output. It should cause an exception and show an error. After ----- Confirmed there is nothing using the library which would need rebuilding $ urpmq --whatrequires lib64boost_locale1.48.0 lib64boost-devel lib64boost_locale1.48.0 $ rm -f 9127 $ g++ 9127.cpp -o 9127 $ ./9127 Source string contains illegal UTF-8 byte sequences $ Tested with a few applications from.. $ urpmq --whatrequires $(rpm -qa --qf '%{NAME}\n' | grep boost | tr "\n" " ") No regressions noticed.
Whiteboard: (none) => has_procedure mga2-64-ok
Ignore the rebuilding bit, it wasn't necessary.
This also needs fixed in Cauldron, but it's in progress by Shlomi and Barry. It's fixed upstream in 1.53.0, and I think they have all dependent packages rebuilding successfully except for one. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252 http://www.boost.org/users/news/boost_locale_security_notice.html http://www.ubuntu.com/usn/usn-1727-1/
URL: http://www.boost.org/users/news/boost_locale_security_notice.html => http://lwn.net/Vulnerabilities/538848/CC: (none) => luigiwalserBlocks: (none) => 9114
Thanks for the procedure Claire. Testing complete on Mageia 2 i586. Could someone from the sysadmin team push the srpm boost-1.48.0-9.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw (CVE-2013-0252): boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences. Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid. The package has been patched to fix above security flaw. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252 http://www.boost.org/users/news/boost_locale_security_notice.html http://www.ubuntu.com/usn/usn-1727-1/ https://bugs.mageia.org/show_bug.cgi?id=9127
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok MGA2-32OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0061
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED