Bug 9127 - [Update Request]Update boost package to fix CVE-2013-0252
: [Update Request]Update boost package to fix CVE-2013-0252
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/538848/
: has_procedure mga2-64-ok MGA2-32OK
: validated_update
:
: 9114
  Show dependency treegraph
 
Reported: 2013-02-20 05:42 CET by Funda Wang
Modified: 2013-02-21 22:05 CET (History)
4 users (show)

See Also:
Source RPM: boost-1.48.0-9.2.mga2
CVE:


Attachments

Description Funda Wang 2013-02-20 05:42:26 CET
Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw (CVE-2013-0252): boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences. Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid.

The package has been patched to fix above security flaw.
Comment 1 claire robinson 2013-02-20 09:51:07 CET
PoC: https://svn.boost.org/trac/boost/ticket/7743
Comment 2 claire robinson 2013-02-20 10:02:03 CET
SRPM: boost-1.48.0-9.2.mga2.src.rpm
-----------------------------------
boost-devel-doc
boost-examples
lib64boost_chrono1.48.0
lib64boost_date_time1.48.0
lib64boost-devel
lib64boost_filesystem1.48.0
lib64boost_graph1.48.0
lib64boost_iostreams1.48.0
lib64boost_locale1.48.0
lib64boost_math1.48.0
lib64boost_prg_exec_monitor1.48.0
lib64boost_program_options1.48.0
lib64boost_python1.48.0
lib64boost_random1.48.0
lib64boost_regex1.48.0
lib64boost_serialization1.48.0
lib64boost_signals1.48.0
lib64boost-static-devel
lib64boost_system1.48.0
lib64boost_thread1.48.0
lib64boost_timer1.48.0
lib64boost_unit_test_framework1.48.0
lib64boost_wave1.48.0
lib64boost_wserialization1.48.0
Comment 3 claire robinson 2013-02-20 11:32:51 CET
Testing mga2 64

Before
------
Confirmed it is vulnerable

Saved the PoC as 9127.cpp
Edited it to put each #include on a separate line

Installed lib64boost-devel

$ g++ 9127.cpp -o 9127
$ ./9127
$

Shows no output. It should cause an exception and show an error.


After
-----
Confirmed there is nothing using the library which would need rebuilding

$ urpmq --whatrequires lib64boost_locale1.48.0
lib64boost-devel
lib64boost_locale1.48.0

$ rm -f 9127
$ g++ 9127.cpp -o 9127
$ ./9127
Source string contains illegal UTF-8 byte sequences
$

Tested with a few applications from..

$ urpmq --whatrequires $(rpm -qa --qf '%{NAME}\n' | grep boost | tr "\n" " ")

No regressions noticed.
Comment 4 claire robinson 2013-02-20 11:39:55 CET
Ignore the rebuilding bit, it wasn't necessary.
Comment 5 David Walser 2013-02-20 12:39:46 CET
This also needs fixed in Cauldron, but it's in progress by Shlomi and Barry.  It's fixed upstream in 1.53.0, and I think they have all dependent packages rebuilding successfully except for one.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252
http://www.boost.org/users/news/boost_locale_security_notice.html
http://www.ubuntu.com/usn/usn-1727-1/
Comment 6 Dave Hodgins 2013-02-21 04:49:59 CET
Thanks for the procedure Claire.

Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpm
boost-1.48.0-9.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw (CVE-2013-0252): boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences. Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid.

The package has been patched to fix above security flaw.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0252
http://www.boost.org/users/news/boost_locale_security_notice.html
http://www.ubuntu.com/usn/usn-1727-1/

https://bugs.mageia.org/show_bug.cgi?id=9127
Comment 7 Thomas Backlund 2013-02-21 22:05:36 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0061

Note You need to log in before you can comment on or make changes to this bug.