Subject: Re: [boost] Microsoft Security Bulletin MS09-03: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
From: Neil Groves (neil_at_[hidden])
Date: 2009-08-12 13:15:18
On Wed, Aug 12, 2009 at 3:24 PM, Christian Eckstein <halserbe_at_[hidden]>wrote:
> I need to know the impact of the following security bulletin on Boost:
> Microsoft Security Bulletin MS09-03: Vulnerabilities in Visual Studio
> Template Library Could Allow Remote Code Execution (969706).
> I found usage of ATL only in the range and regex libraries and it seems
> that only string and array classes are used. None of the problematic
> seem to be used that are described in the checklist at
> - No class implements IUnknown so there is no ActiveX control.
> - No PROP_* macros are used
> - VT_* is not used
> - ReadFromStream is not used
> I think no modification of Boost and no recompilation of the Boost binaries
> is needed.
> I would be very happy if somebody could confirm this.
Boost.Range only provides adaptors to work with ATL classes that can be
adapted to ranges. This is all done as a header-only library hence if one is
not adapting ATL, one does not have an ATL dependency.
I can also confirm that even if you were to use 100% code path coverage of
the Boost.Range code that you would be free from the security issues in your
> Kind regards,
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk