Ubuntu
boost1.49 package

boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.

Bug #1127250 reported by dino99
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
boost1.49 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Reviewing the boost updates, i post here a security warning, and an available patch for version older than the actual 1.53

*********
Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw.
boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid.
This bug is fixed in upcoming Boost 1.53.

Users who can't upgrade to the latest versions may apply the following patch to fix the problem.
http://cppcms.com/files/locale/boost_locale_utf.patch

So please rebuild the raring packages with that patch (and quantal/precise/... too)

http://www.boost.org/users/news/boost_locale_security_notice.html

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: libboost-system1.49.0 1.49.0-3.2ubuntu1
ProcVersionSignature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7
Uname: Linux 3.8.0-6-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.8-0ubuntu4
Architecture: i386
Date: Sat Feb 16 15:05:43 2013
MarkForUpload: True
SourcePackage: boost1.49
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
dino99 (9d9) wrote :
tags: added: patch security
dino99 (9d9)
description: updated
description: updated
Revision history for this message
dino99 (9d9) wrote :
Revision history for this message
dino99 (9d9) wrote :

the patch into #2 comes from the link posted in the initial report description above.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "boost_locale_utf.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

dino99 (9d9)
Changed in boost1.49 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.