Bug 802955

Summary: Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dave Plater <davejplater>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: crrodriguez
Version: 13.1 Beta 1   
Target Milestone: ---   
Hardware: x86   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dave Plater 2013-02-09 07:00:34 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0

Searching for a solution to a locale build problem I found this notice at
http://www.boost.org/users/news/boost_locale_security_notice.html
:
Boost.Locale library in Boost 1.48 to 1.52 including has a security flaw.

boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.

Applications that used these functions for UTF-8 input validation could expose themselves to security threats as invalid UTF-8 sequece would be considered as valid.

This bug is fixed in upcoming Boost 1.53.

For more details see: #7743

Users who can't upgrade to the latest versions may apply the following patch to fix the problem.

http://cppcms.com/files/locale/boost_locale_utf.patch


boost in "devel:libraries:c_c++ / boost" is version 1.49

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Comment 1 Dave Plater 2013-02-09 07:02:57 UTC 
cc'ed boost bug owner
Comment 2 Marcus Meissner 2013-02-09 13:42:32 UTC 
dup

*** This bug has been marked as a duplicate of bug 801991 ***