[pkg-boost-devel] Bug#461236: boost vulnerabilities
Jamie Strandboge
jamie at ubuntu.com
Thu Jan 17 15:48:33 UTC 2008
Package: boost
Version: 1.34.1-2.2
Severity: critical
Tags: patch, security
User: ubuntu-devel at lists.ubuntu.com
Usertags: origin-ubuntu hardy ubuntu-patch
boost as included in Debian is vulnerable to CVE-2008-0171 and CVE-2008-0172.
Attached is a debdiff which addresses this issue (changelog entry in debdiff
shows upstream patch sources as well).
Jamie
--
Email: jamie at ubuntu.com
IRC: jdstrand
-------------- next part --------------
diff -u boost-1.34.1/debian/changelog boost-1.34.1/debian/changelog
--- boost-1.34.1/debian/changelog
+++ boost-1.34.1/debian/changelog
@@ -1,3 +1,16 @@
+boost (1.34.1-2.3) unstable; urgency=low
+
+ * debian/patches/05_regex_fixes.patch: fix for
+ basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return
+ error on invalid repetition of next state
+ * References
+ CVE-2008-0171
+ CVE-2008-0172
+ http://svn.boost.org/trac/boost/changeset/42674
+ http://svn.boost.org/trac/boost/changeset/42745
+
+ -- Jamie Strandboge <jamie at strandboge.com> Tue, 15 Jan 2008 18:22:26 +0000
+
boost (1.34.1-2.2) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- boost-1.34.1.orig/boost/regex/v4/basic_regex_parser.hpp
+++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
@@ -777,6 +777,7 @@
case syntax_element_restart_continue:
case syntax_element_jump:
case syntax_element_startmark:
+ case syntax_element_backstep:
// can't legally repeat any of the above:
fail(regex_constants::error_badrepeat, m_position - m_base);
return false;
@@ -1862,6 +1863,7 @@
if(markid == -4)
{
re_syntax_base* b = this->getaddress(expected_alt_point);
+ // Make sure we have exactly one alternative following this state:
if(b->type != syntax_element_alt)
{
re_alt* alt = static_cast<re_alt*>(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt)));
@@ -1872,6 +1874,15 @@
fail(regex_constants::error_bad_pattern, m_position - m_base);
return false;
}
+ // check for invalid repetition of next state:
+ b = this->getaddress(expected_alt_point);
+ b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);
+ if((b->type != syntax_element_assert_backref)
+ && (b->type != syntax_element_startmark))
+ {
+ fail(regex_constants::error_badrepeat, m_position - m_base);
+ return false;
+ }
}
//
// append closing parenthesis state:
only in patch2:
unchanged:
--- boost-1.34.1.orig/libs/regex/test/regress/test_perl_ex.cpp
+++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp
@@ -121,6 +121,17 @@
TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl);
TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl);
TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl);
+
+ TEST_INVALID_REGEX("(?(?!#?)+)", perl);
+ TEST_INVALID_REGEX("(?(?=:-){0})", perl);
+ TEST_INVALID_REGEX("(?(123){1})", perl);
+ TEST_INVALID_REGEX("(?(?<=A)*)", perl);
+ TEST_INVALID_REGEX("(?(?<=A)+)", perl);
+
+ TEST_INVALID_REGEX("(?<!*|^)", perl);
+ TEST_INVALID_REGEX("(?<!*|A)", perl);
+ TEST_INVALID_REGEX("(?<=?|A)", perl);
+ TEST_INVALID_REGEX("(?<=*|\\B)", perl);
}
void test_options()
only in patch2:
unchanged:
--- boost-1.34.1.orig/debian/patches/05_regex_fixes.patch
+++ boost-1.34.1/debian/patches/05_regex_fixes.patch
@@ -0,0 +1,56 @@
+diff -Naur ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
+--- ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2006-12-20 17:19:05.000000000 +0000
++++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2008-01-15 18:20:54.000000000 +0000
+@@ -777,6 +777,7 @@
+ case syntax_element_restart_continue:
+ case syntax_element_jump:
+ case syntax_element_startmark:
++ case syntax_element_backstep:
+ // can't legally repeat any of the above:
+ fail(regex_constants::error_badrepeat, m_position - m_base);
+ return false;
+@@ -1862,6 +1863,7 @@
+ if(markid == -4)
+ {
+ re_syntax_base* b = this->getaddress(expected_alt_point);
++ // Make sure we have exactly one alternative following this state:
+ if(b->type != syntax_element_alt)
+ {
+ re_alt* alt = static_cast<re_alt*>(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt)));
+@@ -1872,6 +1874,15 @@
+ fail(regex_constants::error_bad_pattern, m_position - m_base);
+ return false;
+ }
++ // check for invalid repetition of next state:
++ b = this->getaddress(expected_alt_point);
++ b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);
++ if((b->type != syntax_element_assert_backref)
++ && (b->type != syntax_element_startmark))
++ {
++ fail(regex_constants::error_badrepeat, m_position - m_base);
++ return false;
++ }
+ }
+ //
+ // append closing parenthesis state:
+diff -Naur ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp
+--- ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2005-09-14 12:20:08.000000000 +0000
++++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2008-01-15 18:20:54.000000000 +0000
+@@ -121,6 +121,17 @@
+ TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl);
+ TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl);
+ TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl);
++
++ TEST_INVALID_REGEX("(?(?!#?)+)", perl);
++ TEST_INVALID_REGEX("(?(?=:-){0})", perl);
++ TEST_INVALID_REGEX("(?(123){1})", perl);
++ TEST_INVALID_REGEX("(?(?<=A)*)", perl);
++ TEST_INVALID_REGEX("(?(?<=A)+)", perl);
++
++ TEST_INVALID_REGEX("(?<!*|^)", perl);
++ TEST_INVALID_REGEX("(?<!*|A)", perl);
++ TEST_INVALID_REGEX("(?<=?|A)", perl);
++ TEST_INVALID_REGEX("(?<=*|\\B)", perl);
+ }
+
+ void test_options()
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-boost-devel/attachments/20080117/d54685ed/attachment.pgp
More information about the pkg-boost-devel
mailing list