Package: boost Version: 1.34.1-2.2 Severity: critical Tags: patch, security User: [EMAIL PROTECTED] Usertags: origin-ubuntu hardy ubuntu-patch
boost as included in Debian is vulnerable to CVE-2008-0171 and CVE-2008-0172. Attached is a debdiff which addresses this issue (changelog entry in debdiff shows upstream patch sources as well). Jamie -- Email: [EMAIL PROTECTED] IRC: jdstrand
diff -u boost-1.34.1/debian/changelog boost-1.34.1/debian/changelog --- boost-1.34.1/debian/changelog +++ boost-1.34.1/debian/changelog @@ -1,3 +1,16 @@ +boost (1.34.1-2.3) unstable; urgency=low + + * debian/patches/05_regex_fixes.patch: fix for + basic_regex_parser() in boost/regex/v4/basic_regex_parser.hpp to return + error on invalid repetition of next state + * References + CVE-2008-0171 + CVE-2008-0172 + http://svn.boost.org/trac/boost/changeset/42674 + http://svn.boost.org/trac/boost/changeset/42745 + + -- Jamie Strandboge <[EMAIL PROTECTED]> Tue, 15 Jan 2008 18:22:26 +0000 + boost (1.34.1-2.2) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- boost-1.34.1.orig/boost/regex/v4/basic_regex_parser.hpp +++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp @@ -777,6 +777,7 @@ case syntax_element_restart_continue: case syntax_element_jump: case syntax_element_startmark: + case syntax_element_backstep: // can't legally repeat any of the above: fail(regex_constants::error_badrepeat, m_position - m_base); return false; @@ -1862,6 +1863,7 @@ if(markid == -4) { re_syntax_base* b = this->getaddress(expected_alt_point); + // Make sure we have exactly one alternative following this state: if(b->type != syntax_element_alt) { re_alt* alt = static_cast<re_alt*>(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt))); @@ -1872,6 +1874,15 @@ fail(regex_constants::error_bad_pattern, m_position - m_base); return false; } + // check for invalid repetition of next state: + b = this->getaddress(expected_alt_point); + b = this->getaddress(static_cast<re_alt*>(b)->next.i, b); + if((b->type != syntax_element_assert_backref) + && (b->type != syntax_element_startmark)) + { + fail(regex_constants::error_badrepeat, m_position - m_base); + return false; + } } // // append closing parenthesis state: only in patch2: unchanged: --- boost-1.34.1.orig/libs/regex/test/regress/test_perl_ex.cpp +++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp @@ -121,6 +121,17 @@ TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl); TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl); TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl); + + TEST_INVALID_REGEX("(?(?!#?)+)", perl); + TEST_INVALID_REGEX("(?(?=:-){0})", perl); + TEST_INVALID_REGEX("(?(123){1})", perl); + TEST_INVALID_REGEX("(?(?<=A)*)", perl); + TEST_INVALID_REGEX("(?(?<=A)+)", perl); + + TEST_INVALID_REGEX("(?<!*|^)", perl); + TEST_INVALID_REGEX("(?<!*|A)", perl); + TEST_INVALID_REGEX("(?<=?|A)", perl); + TEST_INVALID_REGEX("(?<=*|\\B)", perl); } void test_options() only in patch2: unchanged: --- boost-1.34.1.orig/debian/patches/05_regex_fixes.patch +++ boost-1.34.1/debian/patches/05_regex_fixes.patch @@ -0,0 +1,56 @@ +diff -Naur ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp +--- ../unpatched/boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2006-12-20 17:19:05.000000000 +0000 ++++ boost-1.34.1/boost/regex/v4/basic_regex_parser.hpp 2008-01-15 18:20:54.000000000 +0000 +@@ -777,6 +777,7 @@ + case syntax_element_restart_continue: + case syntax_element_jump: + case syntax_element_startmark: ++ case syntax_element_backstep: + // can't legally repeat any of the above: + fail(regex_constants::error_badrepeat, m_position - m_base); + return false; +@@ -1862,6 +1863,7 @@ + if(markid == -4) + { + re_syntax_base* b = this->getaddress(expected_alt_point); ++ // Make sure we have exactly one alternative following this state: + if(b->type != syntax_element_alt) + { + re_alt* alt = static_cast<re_alt*>(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt))); +@@ -1872,6 +1874,15 @@ + fail(regex_constants::error_bad_pattern, m_position - m_base); + return false; + } ++ // check for invalid repetition of next state: ++ b = this->getaddress(expected_alt_point); ++ b = this->getaddress(static_cast<re_alt*>(b)->next.i, b); ++ if((b->type != syntax_element_assert_backref) ++ && (b->type != syntax_element_startmark)) ++ { ++ fail(regex_constants::error_badrepeat, m_position - m_base); ++ return false; ++ } + } + // + // append closing parenthesis state: +diff -Naur ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp +--- ../unpatched/boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2005-09-14 12:20:08.000000000 +0000 ++++ boost-1.34.1/libs/regex/test/regress/test_perl_ex.cpp 2008-01-15 18:20:54.000000000 +0000 +@@ -121,6 +121,17 @@ + TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl); + TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl); + TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl); ++ ++ TEST_INVALID_REGEX("(?(?!#?)+)", perl); ++ TEST_INVALID_REGEX("(?(?=:-){0})", perl); ++ TEST_INVALID_REGEX("(?(123){1})", perl); ++ TEST_INVALID_REGEX("(?(?<=A)*)", perl); ++ TEST_INVALID_REGEX("(?(?<=A)+)", perl); ++ ++ TEST_INVALID_REGEX("(?<!*|^)", perl); ++ TEST_INVALID_REGEX("(?<!*|A)", perl); ++ TEST_INVALID_REGEX("(?<=?|A)", perl); ++ TEST_INVALID_REGEX("(?<=*|\\B)", perl); + } + + void test_options()
signature.asc
Description: Digital signature