[OE-core] [denzil 09/18] Summary: Security Advisory - boost - CVE-2012-2677
Mark Hatle
mark.hatle at windriver.com
Thu Feb 7 23:56:36 UTC 2013
From: Wei Cai <wei.cai at windriver.com>
[ CQID: WIND00366777 ]
A security flaw was found in the way ordered_malloc() routine implementation in
Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size'
and 'max_size' parameters sanitization, when allocating memory. If an application,
using the Boost C++ source libraries for memory allocation, was missing
application-level checks for safety of 'next_size' and 'max_size' values, a remote
attacker could provide a specially-crafted application-specific file (requiring
runtime memory allocation it to be processed correctly) that, when opened would lead
to that application crash, or, potentially arbitrary code execution with the
privileges of the user running the application.
Signed-off-by: Wei Cai <wei.cai at windriver.com>
Signed-off-by: Robert Yang <liezhi.yang at windriver.com>
Signed-off-by: Mark Hatle <mark.hatle at windriver.com>
---
meta/recipes-support/boost/boost_1.49.0.bb | 5 ++--
.../boost/files/boost-CVE-2012-2677.patch | 30 ++++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
diff --git a/meta/recipes-support/boost/boost_1.49.0.bb b/meta/recipes-support/boost/boost_1.49.0.bb
index 71fdc48..b0094c1 100644
--- a/meta/recipes-support/boost/boost_1.49.0.bb
+++ b/meta/recipes-support/boost/boost_1.49.0.bb
@@ -2,9 +2,10 @@ include boost.inc
LIC_FILES_CHKSUM = "file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
-SRC_URI += "file://arm-intrinsics.patch"
+SRC_URI += "file://arm-intrinsics.patch \
+ file://boost-CVE-2012-2677.patch"
SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698"
SRC_URI[sha256sum] = "dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c"
diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
new file mode 100644
index 0000000..42e813d
--- /dev/null
+++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
@@ -0,0 +1,30 @@
+--- a/boost/pool/pool.hpp.orig
++++ b/boost/pool/pool.hpp
+@@ -11,6 +11,8 @@
+
+ #include <boost/config.hpp> // for workarounds
+
++// std::numeric_limits
++#include <boost/limits.hpp>
+ // std::less, std::less_equal, std::greater
+ #include <functional>
+ // new[], delete[], std::nothrow
+@@ -792,7 +794,8 @@
+ { //! Gets address of a chunk n, allocating new memory if not already available.
+ //! \returns Address of chunk n if allocated ok.
+ //! \returns 0 if not enough memory for n chunks.
+-
++ if (requested_size && (n > (std::numeric_limits<size_type>::max)() / requested_size))
++ return 0;
+ const size_type partition_size = alloc_size();
+ const size_type total_req_size = n * requested_size;
+ const size_type num_chunks = total_req_size / partition_size +
+@@ -975,6 +978,8 @@
+ {
+ if(max_alloc_size && (n > max_alloc_size))
+ return 0;
++ if(chunk_size && (n > (std::numeric_limits<size_type>::max)() / chunk_size))
++ return 0;
+ void* ret = (user_allocator::malloc)(chunk_size * n);
+ used_list.insert(ret);
+ return ret;
--
1.8.1.2.545.g2f19ada
More information about the Openembedded-core
mailing list