Patchwork [denzil,09/18] Summary: Security Advisory - boost - CVE-2012-2677

login
register
mail settings
Submitter Mark Hatle
Date Feb. 7, 2013, 11:56 p.m.
Message ID <1923ac0d270c40a8519f734aae141667cebfb538.1360270199.git.mark.hatle@windriver.com>
Download mbox | patch
Permalink /patch/44279/
State New
Headers show

Comments

Mark Hatle - Feb. 7, 2013, 11:56 p.m.
From: Wei Cai <wei.cai@windriver.com>

[ CQID: WIND00366777 ]

A security flaw was found in the way ordered_malloc() routine implementation in
Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size'
and 'max_size' parameters sanitization, when allocating memory. If an application,
using the Boost C++ source libraries for memory allocation, was missing
application-level checks for safety of 'next_size' and 'max_size' values, a remote
attacker could provide a specially-crafted application-specific file (requiring
runtime memory allocation it to be processed correctly) that, when opened would lead
to that application crash, or, potentially arbitrary code execution with the
privileges of the user running the application.

Signed-off-by: Wei Cai <wei.cai@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/recipes-support/boost/boost_1.49.0.bb         |  5 ++--
 .../boost/files/boost-CVE-2012-2677.patch          | 30 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch

Patch

diff --git a/meta/recipes-support/boost/boost_1.49.0.bb b/meta/recipes-support/boost/boost_1.49.0.bb
index 71fdc48..b0094c1 100644
--- a/meta/recipes-support/boost/boost_1.49.0.bb
+++ b/meta/recipes-support/boost/boost_1.49.0.bb
@@ -2,9 +2,10 @@  include boost.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
 
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 
-SRC_URI += "file://arm-intrinsics.patch"
+SRC_URI += "file://arm-intrinsics.patch \
+            file://boost-CVE-2012-2677.patch"
 
 SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698"
 SRC_URI[sha256sum] = "dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c"
diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
new file mode 100644
index 0000000..42e813d
--- /dev/null
+++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
@@ -0,0 +1,30 @@ 
+--- a/boost/pool/pool.hpp.orig	
++++ b/boost/pool/pool.hpp	
+@@ -11,6 +11,8 @@
+ 
+ #include <boost/config.hpp>  // for workarounds
+ 
++// std::numeric_limits 
++#include <boost/limits.hpp> 
+ // std::less, std::less_equal, std::greater
+ #include <functional>
+ // new[], delete[], std::nothrow
+@@ -792,7 +794,8 @@
+ { //! Gets address of a chunk n, allocating new memory if not already available.
+   //! \returns Address of chunk n if allocated ok.
+   //! \returns 0 if not enough memory for n chunks.
+-
++  if (requested_size && (n > (std::numeric_limits<size_type>::max)() / requested_size)) 
++	return 0; 
+   const size_type partition_size = alloc_size();
+   const size_type total_req_size = n * requested_size;
+   const size_type num_chunks = total_req_size / partition_size +
+@@ -975,6 +978,8 @@
+   {
+      if(max_alloc_size && (n > max_alloc_size))
+         return 0;
++	 if(chunk_size && (n > (std::numeric_limits<size_type>::max)() / chunk_size)) 
++		return 0; 
+      void* ret = (user_allocator::malloc)(chunk_size * n);
+      used_list.insert(ret);
+      return ret;