Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202105-04 ] Boost: Buffer overflow
Date: Wed, 26 May 2021 08:09:20
Message-Id: 1980f867-acb7-63d3-7f45-e2eb52ecd42f@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202105-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Boost: Buffer overflow
9 Date: May 26, 2021
10 Bugs: #620468
11 ID: 202105-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow in Boost might allow remote attacker(s) to execute
19 arbitrary code.
20
21 Background
22 ==========
23
24 Boost is a set of C++ libraries, including the Boost.Regex library to
25 process regular expressions.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-libs/boost < 1.74.0-r2 >= 1.74.0-r2
34
35 Description
36 ===========
37
38 It was discovered that Boost incorrectly sanitized 'next_size' and
39 'max_size' parameter in ordered_malloc() function when allocating
40 memory.
41
42 Impact
43 ======
44
45 A remote attacker could provide a specially crafted
46 application-specific file (requiring runtime memory allocation to be
47 processed correctly), that, when opened with an application using Boost
48 C++ source libraries, possibly resulting in execution of arbitrary code
49 with the privileges of the process or a Denial of Service condition.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All Boost users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-libs/boost-1.74.0-r2"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2012-2677
68 https://nvd.nist.gov/vuln/detail/CVE-2012-2677
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 https://security.gentoo.org/glsa/202105-04
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2021 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
OpenPGP_signature.asc application/pgp-signature