Summary: | <dev-libs/boost-1.52.0-r6: Certain invalid UTF-8 sequences accepted as valid (CVE-2013-0252) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cpp+disabled, flameeyes, jer, kripton |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=907481 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=485380 | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 456328, 459448, 460238, 460264, 460272, 460274, 460276, 460292, 460384, 461574, 461578, 474066 | ||
Bug Blocks: | 467256 |
Description
Agostino Sarubbo
2013-02-04 16:56:31 UTC
Okay so we need a patched ebuild for 1.52 ... not sure if we're ready to mark it stable or not, I would probably expect it to... @security how fast do we get this done? I'm running already a different tinderbox run on stable, so I might have to wait for this... (In reply to comment #1) > Okay so we need a patched ebuild for 1.52 ... not sure if we're ready to > mark it stable or not, I would probably expect it to... > > @security how fast do we get this done? I'm running already a different > tinderbox run on stable, so I might have to wait for this... How sounds patch the 1.49.0 series? Did you check if the patch is applicable? I'm not going to touch 1.49 — I guess we'll have to go with 1.52.0-r6 and keep the pieces for what breaks. (In reply to comment #1) > @security how fast do we get this done? I'm running already a different > tinderbox run on stable, so I might have to wait for this... (Ideally, this would have been fixed by now). I saw your email to -dev-announce regarding boost. Are we ready to start stabilization or should we wait a little longer? The tinderbox is running, I'm fine with starting to mark it stable. CVE-2013-0252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0252): boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes. >> Emerging (1 of 1) dev-libs/boost-1.52.0-r6 * boost_1_52_0.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking boost_1_52_0.tar.bz2 to /var/tmp/portage/dev-libs/boost-1.52.0-r6/work >>> Source unpacked in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work >>> Preparing source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... * Applying boost-1.48.0-mpi_python3.patch ... [ ok ] * Applying boost-1.51.0-respect_python-buildid.patch ... [ ok ] * Applying boost-1.51.0-support_dots_in_python-buildid.patch ... [ ok ] * Applying boost-1.48.0-no_strict_aliasing_python2.patch ... [ ok ] * Applying boost-1.48.0-disable_libboost_python3.patch ... [ ok ] * Applying boost-1.48.0-python_linking.patch ... [ ok ] * Applying boost-1.48.0-disable_icu_rpath.patch ... [ ok ] * Applying remove-toolset-1.48.0.patch ... [ ok ] * Applying boost-1.52.0-tuple.patch ... [ ok ] * Applying boost-1.52.0-locale-utf.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... >>> Source configured. >>> Compiling source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... * python3_2: running building b2 gentoorelease -j1 -q -d+2 --user-config=/var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0/user-config.jam --disable-icu boost.locale.icu=off pch=off --boost-build=/usr/share/boost-build --prefix="/var/tmp/portage/dev-libs/boost-1.52.0-r6/image/usr" --layout=system threading=multi link=shared --without-context --python-buildid=3.2 AND thats as far as it goes,python has been updated and I'm running python-updater. I can get a comple by going to /var/temp/portage/boost and running bootstrap.sh. Then ./br which runs the compile successfully. but not having setup the install param's its advising to link to this dir,but as this's a temp situation not very wise. Any suggestions as to how or what I need todo to get success I've had the same experience as Mr. Madden in attempting to merge boost-1.52.0-r6. The solution was to merge without the sandbox: FEATURES="-sandbox" emerge boost Regards. *** Bug 474770 has been marked as a duplicate of this bug. *** this is needed in order to start stabilizing glibc-2.16 Stable for HPPA. @vapier: make no sense have the arches here when we have some blockers. If for you they are no longer a block, please remove them, otherwise I should wait for the resolution of those bugs. amd64 stable x86 stable ia64 stable ppc64 stable ppc stable alpha stable arm stable SH is not anymore a stable arch, removing it from the cc list S390 is not anymore a stable arch, removing it from the cc list M68K is not anymore a stable arch, removing it from the cc list sparc stable. Maintainer(s), please cleanup. Security, please vote. GLSA vote: no. GLSA vote: no Vulnerable versions are masked, closing as noglsa. |