From patchwork Thu Feb  7 23:56:36 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [denzil,09/18] Summary: Security Advisory - boost - CVE-2012-2677
Date: Thu, 07 Feb 2013 23:56:36 -0000
From: Mark Hatle <mark.hatle@windriver.com>
X-Patchwork-Id: 44279
Message-Id: <1923ac0d270c40a8519f734aae141667cebfb538.1360270199.git.mark.hatle@windriver.com>
To: <openembedded-core@lists.openembedded.org>

From: Wei Cai <wei.cai@windriver.com>

[ CQID: WIND00366777 ]

A security flaw was found in the way ordered_malloc() routine implementation in
Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size'
and 'max_size' parameters sanitization, when allocating memory. If an application,
using the Boost C++ source libraries for memory allocation, was missing
application-level checks for safety of 'next_size' and 'max_size' values, a remote
attacker could provide a specially-crafted application-specific file (requiring
runtime memory allocation it to be processed correctly) that, when opened would lead
to that application crash, or, potentially arbitrary code execution with the
privileges of the user running the application.

Signed-off-by: Wei Cai <wei.cai@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>

---
meta/recipes-support/boost/boost_1.49.0.bb         |  5 ++--
 .../boost/files/boost-CVE-2012-2677.patch          | 30 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch

diff --git a/meta/recipes-support/boost/boost_1.49.0.bb b/meta/recipes-support/boost/boost_1.49.0.bb
index 71fdc48..b0094c1 100644
--- a/meta/recipes-support/boost/boost_1.49.0.bb
+++ b/meta/recipes-support/boost/boost_1.49.0.bb
@@ -2,9 +2,10 @@ include boost.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
 
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 
-SRC_URI += "file://arm-intrinsics.patch"
+SRC_URI += "file://arm-intrinsics.patch \
+            file://boost-CVE-2012-2677.patch"
 
 SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698"
 SRC_URI[sha256sum] = "dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c"
diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
new file mode 100644
index 0000000..42e813d
--- /dev/null
+++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
@@ -0,0 +1,30 @@
+--- a/boost/pool/pool.hpp.orig	
++++ b/boost/pool/pool.hpp	
+@@ -11,6 +11,8 @@
+ 
+ #include <boost/config.hpp>  // for workarounds
+ 
++// std::numeric_limits 
++#include <boost/limits.hpp> 
+ // std::less, std::less_equal, std::greater
+ #include <functional>
+ // new[], delete[], std::nothrow
+@@ -792,7 +794,8 @@
+ { //! Gets address of a chunk n, allocating new memory if not already available.
+   //! \returns Address of chunk n if allocated ok.
+   //! \returns 0 if not enough memory for n chunks.
+-
++  if (requested_size && (n > (std::numeric_limits<size_type>::max)() / requested_size)) 
++	return 0; 
+   const size_type partition_size = alloc_size();
+   const size_type total_req_size = n * requested_size;
+   const size_type num_chunks = total_req_size / partition_size +
+@@ -975,6 +978,8 @@
+   {
+      if(max_alloc_size && (n > max_alloc_size))
+         return 0;
++	 if(chunk_size && (n > (std::numeric_limits<size_type>::max)() / chunk_size)) 
++		return 0; 
+      void* ret = (user_allocator::malloc)(chunk_size * n);
+      used_list.insert(ret);
+      return ret;