Package: boost
Version: 1.34.1-2.2
Severity: critical
Tags: patch, security
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch
boost as included in Debian is vulnerable to CVE-2008-0171 and CVE-2008-0172.
Attached is a debdiff which addresses this issue (changelog entry in debdiff
shows upstream patch sources as well).
Jamie
--
Email: [EMAIL PROTECTED]
IRC: jdstrand
diff -u boost-1.34.1/debian/changelog boost-1.34.1/debian/changelog
--- boost-1.34.1/debian/changelog
+++ boost-1.34.1/debian/changelog
@@ -1,3 +1,16 @@
+boost (1.34.1-2.3) unstable; urgency=low
+
+ * debian/patches/05_regex_fixes.patch: fix for
+basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return
+error on invalid repetition of next state
+ * References
+CVE-2008-0171
+CVE-2008-0172
+http://svn.boost.org/trac/boost/changeset/42674
+http://svn.boost.org/trac/boost/changeset/42745
+
+ -- Jamie Strandboge [EMAIL PROTECTED] Tue, 15 Jan 2008 18:22:26 +
+
boost (1.34.1-2.2) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- boost-1.34.1.orig/boost/regex/v4/basic_regex_parser.hpp
+++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
@@ -777,6 +777,7 @@
case syntax_element_restart_continue:
case syntax_element_jump:
case syntax_element_startmark:
+ case syntax_element_backstep:
// can't legally repeat any of the above:
fail(regex_constants::error_badrepeat, m_position - m_base);
return false;
@@ -1862,6 +1863,7 @@
if(markid == -4)
{
re_syntax_base* b = this-getaddress(expected_alt_point);
+ // Make sure we have exactly one alternative following this state:
if(b-type != syntax_element_alt)
{
re_alt* alt =
static_castre_alt*(this-insert_state(expected_alt_point, syntax_element_alt,
sizeof(re_alt)));
@@ -1872,6 +1874,15 @@
fail(regex_constants::error_bad_pattern, m_position - m_base);
return false;
}
+ // check for invalid repetition of next state:
+ b = this-getaddress(expected_alt_point);
+ b = this-getaddress(static_castre_alt*(b)-next.i, b);
+ if((b-type != syntax_element_assert_backref)
+ (b-type != syntax_element_startmark))
+ {
+ fail(regex_constants::error_badrepeat, m_position - m_base);
+ return false;
+ }
}
//
// append closing parenthesis state:
only in patch2:
unchanged:
--- boost-1.34.1.orig/libs/regex/test/regress/test_perl_ex.cpp
+++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp
@@ -121,6 +121,17 @@
TEST_INVALID_REGEX((?:(a)|b)(?(?:, perl);
TEST_INVALID_REGEX((?:(a)|b)(?(?, perl);
TEST_INVALID_REGEX((?:(a)|b)(?(?a, perl);
+
+ TEST_INVALID_REGEX((?(?!#?)+), perl);
+ TEST_INVALID_REGEX((?(?=:-){0}), perl);
+ TEST_INVALID_REGEX((?(123){1}), perl);
+ TEST_INVALID_REGEX((?(?=A)*), perl);
+ TEST_INVALID_REGEX((?(?=A)+), perl);
+
+ TEST_INVALID_REGEX((?!*|^), perl);
+ TEST_INVALID_REGEX((?!*|A), perl);
+ TEST_INVALID_REGEX((?=?|A), perl);
+ TEST_INVALID_REGEX((?=*|\\B), perl);
}
void test_options()
only in patch2:
unchanged:
--- boost-1.34.1.orig/debian/patches/05_regex_fixes.patch
+++ boost-1.34.1/debian/patches/05_regex_fixes.patch
@@ -0,0 +1,56 @@
+diff -Naur ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
+--- ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
2006-12-20 17:19:05.0 +
boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2008-01-15
18:20:54.0 +
+@@ -777,6 +777,7 @@
+ case syntax_element_restart_continue:
+ case syntax_element_jump:
+ case syntax_element_startmark:
++ case syntax_element_backstep:
+ // can't legally repeat any of the above:
+ fail(regex_constants::error_badrepeat, m_position - m_base);
+ return false;
+@@ -1862,6 +1863,7 @@
+if(markid == -4)
+{
+ re_syntax_base* b = this-getaddress(expected_alt_point);
++ // Make sure we have exactly one alternative following this state:
+ if(b-type != syntax_element_alt)
+ {
+ re_alt* alt =
static_castre_alt*(this-insert_state(expected_alt_point, syntax_element_alt,
sizeof(re_alt)));
+@@ -1872,6 +1874,15 @@
+ fail(regex_constants::error_bad_pattern, m_position - m_base);
+ return false;
+ }
++ // check for invalid repetition of next state:
++ b = this-getaddress(expected_alt_point);
++ b = this-getaddress(static_castre_alt*(b)-next.i, b);
++ if((b-type != syntax_element_assert_backref)
++ (b-type != syntax_element_startmark))
++ {
++ fail(regex_constants::error_badrepeat, m_position - m_base);
++ return false;
++ }
+}
+//
+// append closing parenthesis state:
+diff -Naur ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp