Boost logo

Boost :

Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Jookia (166291_at_[hidden])
Date: 2013-01-04 10:00:37


On 05/01/13 01:15, Artyom Beilis wrote:
> Hello,
>
> Boost.Locale library in Boost 1.48 to 1.52 including has a security flow.
>
> boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
>
> Applications that used these functions for UTF-8 input validation could
> expose themself to security threats as invalid UTF-8 sequece would be
> considered as valid.
>
> This bug is fixed in upcoming Boost 1.53.
>
> For more details see: https://svn.boost.org/trac/boost/ticket/7743
>
> Users who can't upgrade to the latest versions may apply the following patch to
> fix the problem.
>
>
> http://cppcms.com/files/locale/boost_locale_utf.patch
>
>
> Regards,
>
> Artyom Beilis
> --------------
> CppCMS - C++ Web Framework: http://cppcms.com/
> CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
>

Hello,

Pardon my ignorance, but how would an invalid UTF-8 sequence cause a
security threat? All I can think it would do is create garbage.

I don't mean every day security threats, I mean any.

Thanks,
Jookia.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk