Bug 828856 (CVE-2012-2677)

Summary: CVE-2012-2677 boost: ordered_malloc() overflow
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: colin, denis.arnaud_fedora, mnewsome, ohudlick, pertusus, redhat-bugzilla, rsawhill
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:54:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 828857, 828858, 828860, 829941, 829943, 829945, 905554, 905556, 905557    
Bug Blocks: 828863    

Description Jan Lieskovsky 2012-06-05 13:25:49 UTC 
A security flaw was found in the way ordered_malloc() routine implementation in Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size' and 'max_size' parameters sanitization, when allocating memory. If an application, using the Boost C++ source libraries for memory allocation, was missing application-level checks for safety of 'next_size' and 'max_size' values, a remote attacker could provide a specially-crafted application-specific file (requiring runtime memory allocation it to be processed correctly) that, when opened would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

CVE request:
[1] http://www.openwall.com/lists/oss-security/2012/06/05/1

Relevant upstream patch (including reproducer):
[2] https://svn.boost.org/trac/boost/changeset/78326

References:
[3] https://svn.boost.org/trac/boost/ticket/6701
[4] https://bugzilla.novell.com/show_bug.cgi?id=765443
[5] http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/
Comment 1 Jan Lieskovsky 2012-06-05 13:29:12 UTC 
This issue affects the versions of the boost package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the boost package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

This issue affects the version of the boost141 package, as shipped with Fedora release of 17. Please schedule an update.

--

This issue affects the version of the boost141 package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-05 13:30:15 UTC 
Created boost tracking bugs for this issue

Affects: fedora-all [bug 828857]
Comment 3 Jan Lieskovsky 2012-06-05 13:31:26 UTC 
Created boost141 tracking bugs for this issue

Affects: fedora-17 [bug 828858]
Affects: epel-5 [bug 828860]
Comment 4 Robert Scheck 2012-06-05 23:13:06 UTC 
I do not see an updated boost package in RHEL 6 yet, where boost141 is based
on. Can you please provide me the updated boost source RPM of RHEL 6, as I
could imagine, that the RHEL package update is likely a combined bugfix and 
security update (and thus also covers other known bugs). Thank you :)
Comment 5 Petr Machata 2012-06-06 11:30:42 UTC 
That test case triggers on Fedora 15 and Fedora 16.  After adjusting to accommodate for interface changes, it triggers on RHEL 6 and RHEL 5 as well.  Interestingly it doesn't appear to trigger Fedora 17.  That's strange, as Fedora 17 certainly doesn't ship the fix.
Comment 6 Petr Machata 2012-06-06 20:37:27 UTC 
... but that's just a happy coincidence.  When we increase next_size in the test program (dividing by e.g. 100 instead of 768), it fails anyway.  It just shifts the value at one place, avoiding this, but not solving the general problem.

The provided patch fixes the issue.  I'll proceed with spinning builds etc.
Comment 9 Stefan Cornelius 2012-06-07 20:30:48 UTC 
The CVE identifier of CVE-2012-2677 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/07/13
Comment 14 Robert Scheck 2013-01-12 23:45:07 UTC 
Looks like there hasn't been any need for Red Hat to patch this issue within
the last 6 month for RHEL 6...
Comment 22 errata-xmlrpc 2013-03-21 17:53:03 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0668 https://rhn.redhat.com/errata/RHSA-2013-0668.html
Comment 23 Fedora Update System 2013-04-07 01:28:08 UTC 
boost141-1.41.0-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Petr Machata 2014-12-02 15:00:18 UTC 
N.B. the upstream ticket is https://svn.boost.org/trac/boost/ticket/6701