From $URL : Jan Lieskovsky 2013-02-04 15:20:03 CET A security flaw was found in the way UTF-8 decoder of boost, set of free peer-reviewed portable C++ source libraries, performed validation of certain UTF-8 encoded sequences. If an application, linked against boost used the UTF-8 decoding routines for input validation (and depended at the results), an attacker could use this flaw to confuse the validator into (errorneously) accepting them as valid. Upstream bug report: [1] https://svn.boost.org/trac/boost/ticket/7743 Upstream advisory: [2] http://www.boost.org/users/news/boost_locale_security_notice.html Relevant upstream patch: [3] http://cppcms.com/files/locale/boost_locale_utf.patch References: [4] http://www.openwall.com/lists/oss-security/2013/02/04/1 [5] http://www.openwall.com/lists/oss-security/2013/02/04/2
Okay so we need a patched ebuild for 1.52 ... not sure if we're ready to mark it stable or not, I would probably expect it to... @security how fast do we get this done? I'm running already a different tinderbox run on stable, so I might have to wait for this...
(In reply to comment #1) > Okay so we need a patched ebuild for 1.52 ... not sure if we're ready to > mark it stable or not, I would probably expect it to... > > @security how fast do we get this done? I'm running already a different > tinderbox run on stable, so I might have to wait for this... How sounds patch the 1.49.0 series? Did you check if the patch is applicable?
I'm not going to touch 1.49 — I guess we'll have to go with 1.52.0-r6 and keep the pieces for what breaks.
(In reply to comment #1) > @security how fast do we get this done? I'm running already a different > tinderbox run on stable, so I might have to wait for this... (Ideally, this would have been fixed by now). I saw your email to -dev-announce regarding boost. Are we ready to start stabilization or should we wait a little longer?
The tinderbox is running, I'm fine with starting to mark it stable.
CVE-2013-0252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0252): boost::locale::utf::utf_traits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.
>> Emerging (1 of 1) dev-libs/boost-1.52.0-r6 * boost_1_52_0.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking boost_1_52_0.tar.bz2 to /var/tmp/portage/dev-libs/boost-1.52.0-r6/work >>> Source unpacked in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work >>> Preparing source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... * Applying boost-1.48.0-mpi_python3.patch ... [ ok ] * Applying boost-1.51.0-respect_python-buildid.patch ... [ ok ] * Applying boost-1.51.0-support_dots_in_python-buildid.patch ... [ ok ] * Applying boost-1.48.0-no_strict_aliasing_python2.patch ... [ ok ] * Applying boost-1.48.0-disable_libboost_python3.patch ... [ ok ] * Applying boost-1.48.0-python_linking.patch ... [ ok ] * Applying boost-1.48.0-disable_icu_rpath.patch ... [ ok ] * Applying remove-toolset-1.48.0.patch ... [ ok ] * Applying boost-1.52.0-tuple.patch ... [ ok ] * Applying boost-1.52.0-locale-utf.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... >>> Source configured. >>> Compiling source in /var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0 ... * python3_2: running building b2 gentoorelease -j1 -q -d+2 --user-config=/var/tmp/portage/dev-libs/boost-1.52.0-r6/work/boost_1_52_0/user-config.jam --disable-icu boost.locale.icu=off pch=off --boost-build=/usr/share/boost-build --prefix="/var/tmp/portage/dev-libs/boost-1.52.0-r6/image/usr" --layout=system threading=multi link=shared --without-context --python-buildid=3.2 AND thats as far as it goes,python has been updated and I'm running python-updater. I can get a comple by going to /var/temp/portage/boost and running bootstrap.sh. Then ./br which runs the compile successfully. but not having setup the install param's its advising to link to this dir,but as this's a temp situation not very wise. Any suggestions as to how or what I need todo to get success
I've had the same experience as Mr. Madden in attempting to merge boost-1.52.0-r6. The solution was to merge without the sandbox: FEATURES="-sandbox" emerge boost Regards.
*** Bug 474770 has been marked as a duplicate of this bug. ***
this is needed in order to start stabilizing glibc-2.16
Stable for HPPA.
@vapier: make no sense have the arches here when we have some blockers. If for you they are no longer a block, please remove them, otherwise I should wait for the resolution of those bugs.
amd64 stable
x86 stable
ia64 stable
ppc64 stable
ppc stable
alpha stable
arm stable
SH is not anymore a stable arch, removing it from the cc list
S390 is not anymore a stable arch, removing it from the cc list
M68K is not anymore a stable arch, removing it from the cc list
sparc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no.
GLSA vote: no Vulnerable versions are masked, closing as noglsa.