[denzil,09/18] Summary: Security Advisory - boost - CVE-2012-2677

Submitted by Mark Hatle on Feb. 7, 2013, 11:56 p.m.

Details

Message ID 1923ac0d270c40a8519f734aae141667cebfb538.1360270199.git.mark.hatle@windriver.com
State New
Headers show

Commit Message

Mark Hatle Feb. 7, 2013, 11:56 p.m.
From: Wei Cai <wei.cai@windriver.com>

[ CQID: WIND00366777 ]

A security flaw was found in the way ordered_malloc() routine implementation in
Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size'
and 'max_size' parameters sanitization, when allocating memory. If an application,
using the Boost C++ source libraries for memory allocation, was missing
application-level checks for safety of 'next_size' and 'max_size' values, a remote
attacker could provide a specially-crafted application-specific file (requiring
runtime memory allocation it to be processed correctly) that, when opened would lead
to that application crash, or, potentially arbitrary code execution with the
privileges of the user running the application.

Signed-off-by: Wei Cai <wei.cai@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
---
 meta/recipes-support/boost/boost_1.49.0.bb         |  5 ++--
 .../boost/files/boost-CVE-2012-2677.patch          | 30 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-support/boost/boost_1.49.0.bb b/meta/recipes-support/boost/boost_1.49.0.bb
index 71fdc48..b0094c1 100644
--- a/meta/recipes-support/boost/boost_1.49.0.bb
+++ b/meta/recipes-support/boost/boost_1.49.0.bb
@@ -2,9 +2,10 @@  include boost.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
 
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
 
-SRC_URI += "file://arm-intrinsics.patch"
+SRC_URI += "file://arm-intrinsics.patch \
+            file://boost-CVE-2012-2677.patch"
 
 SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698"
 SRC_URI[sha256sum] = "dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c"
diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
new file mode 100644
index 0000000..42e813d
--- /dev/null
+++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
@@ -0,0 +1,30 @@ 
+--- a/boost/pool/pool.hpp.orig	
++++ b/boost/pool/pool.hpp	
+@@ -11,6 +11,8 @@
+ 
+ #include <boost/config.hpp>  // for workarounds
+ 
++// std::numeric_limits 
++#include <boost/limits.hpp> 
+ // std::less, std::less_equal, std::greater
+ #include <functional>
+ // new[], delete[], std::nothrow
+@@ -792,7 +794,8 @@
+ { //! Gets address of a chunk n, allocating new memory if not already available.
+   //! \returns Address of chunk n if allocated ok.
+   //! \returns 0 if not enough memory for n chunks.
+-
++  if (requested_size && (n > (std::numeric_limits<size_type>::max)() / requested_size)) 
++	return 0; 
+   const size_type partition_size = alloc_size();
+   const size_type total_req_size = n * requested_size;
+   const size_type num_chunks = total_req_size / partition_size +
+@@ -975,6 +978,8 @@
+   {
+      if(max_alloc_size && (n > max_alloc_size))
+         return 0;
++	 if(chunk_size && (n > (std::numeric_limits<size_type>::max)() / chunk_size)) 
++		return 0; 
+      void* ret = (user_allocator::malloc)(chunk_size * n);
+      used_list.insert(ret);
+      return ret;