On 18/04/2024 07:52, kamallochan Jena via Boost-users wrote:
Hello everyone,
Hope you all are doing well.
There is a Vulnerability reported on Boost library as mentioned
below. Any guidance or assistance or reply to this mail would be
greatly appreciated.
*Vulnerability ID:* BDSA-2018-2656
*Vulnerability Details:*
Boost has a flaw in the function
boost::re_detail_NUMBER::basic_regex_creator which can lead to a
buffer over-read. An attacker can craft and send a malicious file
which will trigger the buffer over-read, leading to a denial-of-service.
Few query w.r.t boost::re_detail_NUMBER::basic_regex_creator() function:
1. Does Boost.Regex library or any Boost library internally use this
function?
Yes, of course.
2. If the answer is yes, Which all libraries use this function?
No idea.
3. Is this a known vulnerability and is it fixed in the latest Boost
version? please provide some insights like (any change list or file
name etc).
If you follow the links to
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6708 you'll see it
marked as fixed back in 2018.
John.
_______________________________________________
Boost-users mailing list
Boost-users@lists.boost.org
https://lists.boost.org/mailman/listinfo.cgi/boost-users
