Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Eric Niebler (eric_at_[hidden])
Date: 2013-01-04 14:42:05
On 1/4/2013 6:28 AM, Artyom Beilis wrote:
>> From: Andrey Semashev <andrey.semashev_at_[hidden]>
>> On Friday 04 January 2013 06:15:27 Artyom Beilis wrote:
>>> Boost.Locale library in Boost 1.48 to 1.52 including has a security flow.
>>> boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
>>> Applications that used these functions for UTF-8 input validation could
>>> expose themself to security threats as invalid UTF-8 sequece would be
>>> considered as valid.
>>> This bug is fixed in upcoming Boost 1.53.
>>> For more details see: https://svn.boost.org/trac/boost/ticket/7743
>>> Users who can't upgrade to the latest versions may apply the following patch
>>> to fix the problem.
>> Perhaps, this should be announced in 1.53 release notes?
> It is in release notes quoting:
> * Security related bug fix, some invalid UTF-8 sequences where accepted as valid #7743 Also maybe it need to be more
> Release managers, maybe we need to make it bolder?
Yes, I think this warrants a bolder announcement, like the one we did
last release for the potentially breaking result_of change. Here I'm
thinking of the red warning on the front page, not necessarily a
separate page describing the issue. The red warning could simply link
directly to the 1.53 release notes.
-- Eric Niebler BoostPro Computing http://www.boostpro.com
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk