Bug#461236: boost vulnerabilities (was [pkg-boost-commits] r14144 - in boost/trunk: ...)

2008-01-21 Thread Domenico Andreoli 
On Sun, Jan 20, 2008 at 05:32:03PM -0600, Steve M. Robbins wrote:
 Hi all,

Hi,

 I do understand that derivative distributions such as Ubuntu do put
 their own release entries in there.  I imagine the Ubuntu users
 understand that and can differentiate the Ubuntu release from the
 Debian one in some fashion.  However, I think that the pure
 Debian changelog should include only entries for Debian releases.

I agree with you in the principle. As a principle, I do not find that
strange if things actually go differently. Anyway I have not any strong
preference, feel free to modify things at you wish.

 By the way, I notice that entry is targeted at experimental; what is
 the plan here?  This fix looks fine for unstable, no?  Are you
 planning some further not-for-unstable modifications?

Experimental because agreement for unstable has still to be found with
RMs, Boost is again in the middle of a transition. I am hereby asking
RMs their advice.

cheers,
Domenico

-[ Domenico Andreoli, aka cavok
 --[ http://www.dandreoli.com/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#461236: boost vulnerabilities

2008-01-17 Thread Jamie Strandboge 
Package: boost
Version: 1.34.1-2.2
Severity: critical
Tags: patch, security 
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu hardy ubuntu-patch

boost as included in Debian is vulnerable to CVE-2008-0171 and CVE-2008-0172.
Attached is a debdiff which addresses this issue (changelog entry in debdiff
shows upstream patch sources as well).

Jamie

--
Email: [EMAIL PROTECTED]
IRC:   jdstrand
diff -u boost-1.34.1/debian/changelog boost-1.34.1/debian/changelog
--- boost-1.34.1/debian/changelog
+++ boost-1.34.1/debian/changelog
@@ -1,3 +1,16 @@
+boost (1.34.1-2.3) unstable; urgency=low
+
+  * debian/patches/05_regex_fixes.patch: fix for
+basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return
+error on invalid repetition of next state
+  * References
+CVE-2008-0171
+CVE-2008-0172
+http://svn.boost.org/trac/boost/changeset/42674
+http://svn.boost.org/trac/boost/changeset/42745
+
+ -- Jamie Strandboge [EMAIL PROTECTED]  Tue, 15 Jan 2008 18:22:26 +
+
 boost (1.34.1-2.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- boost-1.34.1.orig/boost/regex/v4/basic_regex_parser.hpp
+++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
@@ -777,6 +777,7 @@
   case syntax_element_restart_continue:
   case syntax_element_jump:
   case syntax_element_startmark:
+  case syntax_element_backstep:
  // can't legally repeat any of the above:
  fail(regex_constants::error_badrepeat, m_position - m_base);
  return false;
@@ -1862,6 +1863,7 @@
if(markid == -4)
{
   re_syntax_base* b = this-getaddress(expected_alt_point);
+  // Make sure we have exactly one alternative following this state:
   if(b-type != syntax_element_alt)
   {
  re_alt* alt = 
static_castre_alt*(this-insert_state(expected_alt_point, syntax_element_alt, 
sizeof(re_alt)));
@@ -1872,6 +1874,15 @@
  fail(regex_constants::error_bad_pattern, m_position - m_base);
  return false;
   }
+  // check for invalid repetition of next state:
+  b = this-getaddress(expected_alt_point);
+  b = this-getaddress(static_castre_alt*(b)-next.i, b);
+  if((b-type != syntax_element_assert_backref)
+  (b-type != syntax_element_startmark))
+  {
+ fail(regex_constants::error_badrepeat, m_position - m_base);
+ return false;
+  }
}
//
// append closing parenthesis state:
only in patch2:
unchanged:
--- boost-1.34.1.orig/libs/regex/test/regress/test_perl_ex.cpp
+++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp
@@ -121,6 +121,17 @@
TEST_INVALID_REGEX((?:(a)|b)(?(?:, perl);
TEST_INVALID_REGEX((?:(a)|b)(?(?, perl);
TEST_INVALID_REGEX((?:(a)|b)(?(?a, perl);
+
+   TEST_INVALID_REGEX((?(?!#?)+), perl);
+   TEST_INVALID_REGEX((?(?=:-){0}), perl);
+   TEST_INVALID_REGEX((?(123){1}), perl);
+   TEST_INVALID_REGEX((?(?=A)*), perl);
+   TEST_INVALID_REGEX((?(?=A)+), perl);
+
+   TEST_INVALID_REGEX((?!*|^), perl);
+   TEST_INVALID_REGEX((?!*|A), perl);
+   TEST_INVALID_REGEX((?=?|A), perl);
+   TEST_INVALID_REGEX((?=*|\\B), perl);
 }
 
 void test_options()
only in patch2:
unchanged:
--- boost-1.34.1.orig/debian/patches/05_regex_fixes.patch
+++ boost-1.34.1/debian/patches/05_regex_fixes.patch
@@ -0,0 +1,56 @@
+diff -Naur ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 
boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
+--- ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp
2006-12-20 17:19:05.0 +
 boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2008-01-15 
18:20:54.0 +
+@@ -777,6 +777,7 @@
+   case syntax_element_restart_continue:
+   case syntax_element_jump:
+   case syntax_element_startmark:
++  case syntax_element_backstep:
+  // can't legally repeat any of the above:
+  fail(regex_constants::error_badrepeat, m_position - m_base);
+  return false;
+@@ -1862,6 +1863,7 @@
+if(markid == -4)
+{
+   re_syntax_base* b = this-getaddress(expected_alt_point);
++  // Make sure we have exactly one alternative following this state:
+   if(b-type != syntax_element_alt)
+   {
+  re_alt* alt = 
static_castre_alt*(this-insert_state(expected_alt_point, syntax_element_alt, 
sizeof(re_alt)));
+@@ -1872,6 +1874,15 @@
+  fail(regex_constants::error_bad_pattern, m_position - m_base);
+  return false;
+   }
++  // check for invalid repetition of next state:
++  b = this-getaddress(expected_alt_point);
++  b = this-getaddress(static_castre_alt*(b)-next.i, b);
++  if((b-type != syntax_element_assert_backref)
++  (b-type != syntax_element_startmark))
++  {
++ fail(regex_constants::error_badrepeat, m_position - m_base);
++ return false;
++  }
+}
+//
+// append closing parenthesis state:
+diff -Naur ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp