From: Wei Cai <wei....@windriver.com>
[ CQID: WIND00366777 ]
A security flaw was found in the way ordered_malloc() routine implementation in
Boost, the free peer-reviewed portable C++ source libraries, performed
'next-size'
and 'max_size' parameters sanitization, when allocating memory. If an
application,
using the Boost C++ source libraries for memory allocation, was missing
application-level checks for safety of 'next_size' and 'max_size' values, a
remote
attacker could provide a specially-crafted application-specific file (requiring
runtime memory allocation it to be processed correctly) that, when opened would
lead
to that application crash, or, potentially arbitrary code execution with the
privileges of the user running the application.
Signed-off-by: Wei Cai <wei....@windriver.com>
Signed-off-by: Robert Yang <liezhi.y...@windriver.com>
Signed-off-by: Mark Hatle <mark.ha...@windriver.com>
---
meta/recipes-support/boost/boost_1.49.0.bb | 5 ++--
.../boost/files/boost-CVE-2012-2677.patch | 30 ++++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
diff --git a/meta/recipes-support/boost/boost_1.49.0.bb
b/meta/recipes-support/boost/boost_1.49.0.bb
index 71fdc48..b0094c1 100644
--- a/meta/recipes-support/boost/boost_1.49.0.bb
+++ b/meta/recipes-support/boost/boost_1.49.0.bb
@@ -2,9 +2,10 @@ include boost.inc
LIC_FILES_CHKSUM =
"file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c"
-PR = "${INC_PR}.0"
+PR = "${INC_PR}.1"
-SRC_URI += "file://arm-intrinsics.patch"
+SRC_URI += "file://arm-intrinsics.patch \
+ file://boost-CVE-2012-2677.patch"
SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698"
SRC_URI[sha256sum] =
"dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c"
diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
new file mode 100644
index 0000000..42e813d
--- /dev/null
+++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
@@ -0,0 +1,30 @@
+--- a/boost/pool/pool.hpp.orig
++++ b/boost/pool/pool.hpp
+@@ -11,6 +11,8 @@
+
+ #include <boost/config.hpp> // for workarounds
+
++// std::numeric_limits
++#include <boost/limits.hpp>
+ // std::less, std::less_equal, std::greater
+ #include <functional>
+ // new[], delete[], std::nothrow
+@@ -792,7 +794,8 @@
+ { //! Gets address of a chunk n, allocating new memory if not already
available.
+ //! \returns Address of chunk n if allocated ok.
+ //! \returns 0 if not enough memory for n chunks.
+-
++ if (requested_size && (n > (std::numeric_limits<size_type>::max)() /
requested_size))
++ return 0;
+ const size_type partition_size = alloc_size();
+ const size_type total_req_size = n * requested_size;
+ const size_type num_chunks = total_req_size / partition_size +
+@@ -975,6 +978,8 @@
+ {
+ if(max_alloc_size && (n > max_alloc_size))
+ return 0;
++ if(chunk_size && (n > (std::numeric_limits<size_type>::max)() /
chunk_size))
++ return 0;
+ void* ret = (user_allocator::malloc)(chunk_size * n);
+ used_list.insert(ret);
+ return ret;
--
1.8.1.2.545.g2f19ada
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core
