Bug 828856 - (CVE-2012-2677) CVE-2012-2677 boost: ordered_malloc() overflow
CVE-2012-2677 boost: ordered_malloc() overflow
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120605,repor...
: Security
Depends On: 828857 828858 828860 829941 829943 829945 905554 905556 905557
Blocks: 828863
  Show dependency treegraph
 
Reported: 2012-06-05 09:25 EDT by Jan Lieskovsky
Modified: 2016-01-31 21:30 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-06-05 09:25:49 EDT
A security flaw was found in the way ordered_malloc() routine implementation in Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size' and 'max_size' parameters sanitization, when allocating memory. If an application, using the Boost C++ source libraries for memory allocation, was missing application-level checks for safety of 'next_size' and 'max_size' values, a remote attacker could provide a specially-crafted application-specific file (requiring runtime memory allocation it to be processed correctly) that, when opened would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application.

CVE request:
[1] http://www.openwall.com/lists/oss-security/2012/06/05/1

Relevant upstream patch (including reproducer):
[2] https://svn.boost.org/trac/boost/changeset/78326

References:
[3] https://svn.boost.org/trac/boost/ticket/6701
[4] https://bugzilla.novell.com/show_bug.cgi?id=765443
[5] http://kqueue.org/blog/2012/03/05/memory-allocator-security-revisited/
Comment 1 Jan Lieskovsky 2012-06-05 09:29:12 EDT
This issue affects the versions of the boost package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the boost package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update.

This issue affects the version of the boost141 package, as shipped with Fedora release of 17. Please schedule an update.

--

This issue affects the version of the boost141 package, as shipped with Fedora EPEL 5. Please schedule an update.
Comment 2 Jan Lieskovsky 2012-06-05 09:30:15 EDT
Created boost tracking bugs for this issue

Affects: fedora-all [bug 828857]
Comment 3 Jan Lieskovsky 2012-06-05 09:31:26 EDT
Created boost141 tracking bugs for this issue

Affects: fedora-17 [bug 828858]
Affects: epel-5 [bug 828860]
Comment 4 Robert Scheck 2012-06-05 19:13:06 EDT
I do not see an updated boost package in RHEL 6 yet, where boost141 is based
on. Can you please provide me the updated boost source RPM of RHEL 6, as I
could imagine, that the RHEL package update is likely a combined bugfix and 
security update (and thus also covers other known bugs). Thank you :)
Comment 5 Petr Machata 2012-06-06 07:30:42 EDT
That test case triggers on Fedora 15 and Fedora 16.  After adjusting to accommodate for interface changes, it triggers on RHEL 6 and RHEL 5 as well.  Interestingly it doesn't appear to trigger Fedora 17.  That's strange, as Fedora 17 certainly doesn't ship the fix.
Comment 6 Petr Machata 2012-06-06 16:37:27 EDT
... but that's just a happy coincidence.  When we increase next_size in the test program (dividing by e.g. 100 instead of 768), it fails anyway.  It just shifts the value at one place, avoiding this, but not solving the general problem.

The provided patch fixes the issue.  I'll proceed with spinning builds etc.
Comment 9 Stefan Cornelius 2012-06-07 16:30:48 EDT
The CVE identifier of CVE-2012-2677 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2012/06/07/13
Comment 14 Robert Scheck 2013-01-12 18:45:07 EST
Looks like there hasn't been any need for Red Hat to patch this issue within
the last 6 month for RHEL 6...
Comment 22 errata-xmlrpc 2013-03-21 13:53:03 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0668 https://rhn.redhat.com/errata/RHSA-2013-0668.html
Comment 23 Fedora Update System 2013-04-06 21:28:08 EDT
boost141-1.41.0-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Petr Machata 2014-12-02 10:00:18 EST
N.B. the upstream ticket is https://svn.boost.org/trac/boost/ticket/6701

Note You need to log in before you can comment on or make changes to this bug.