Boost logo

Boost :

Subject: Re: [boost] Microsoft Security Bulletin MS09-03: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)
From: Neil Groves (neil_at_[hidden])
Date: 2009-08-12 13:15:18


Hello,

On Wed, Aug 12, 2009 at 3:24 PM, Christian Eckstein <halserbe_at_[hidden]>wrote:

> Hi,
>
> I need to know the impact of the following security bulletin on Boost:
> Microsoft Security Bulletin MS09-03: Vulnerabilities in Visual Studio
> Active
> Template Library Could Allow Remote Code Execution (969706).
>
> I found usage of ATL only in the range and regex libraries and it seems
> that only string and array classes are used. None of the problematic
> methods
> seem to be used that are described in the checklist at
> http://msdn.microsoft.com/en-us/visualc/ee309358.aspx.
>
> - No class implements IUnknown so there is no ActiveX control.
> - No PROP_* macros are used
> - VT_* is not used
> - ReadFromStream is not used
>
> I think no modification of Boost and no recompilation of the Boost binaries
> is needed.
> I would be very happy if somebody could confirm this.
>

Boost.Range only provides adaptors to work with ATL classes that can be
adapted to ranges. This is all done as a header-only library hence if one is
not adapting ATL, one does not have an ATL dependency.

I can also confirm that even if you were to use 100% code path coverage of
the Boost.Range code that you would be free from the security issues in your
referenced article.

>
> Kind regards,
> Christian
> _______________________________________________

Regards,
Neil Groves


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk