Boost logo

Boost :

Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Eric Niebler (eric_at_[hidden])
Date: 2013-01-04 14:42:05


On 1/4/2013 6:28 AM, Artyom Beilis wrote:
>> From: Andrey Semashev <andrey.semashev_at_[hidden]>
>> On Friday 04 January 2013 06:15:27 Artyom Beilis wrote:
>>> Hello,
>>>
>>> Boost.Locale library in Boost 1.48 to 1.52 including has a security flow.
>>>
>>> boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
>>>
>>> Applications that used these functions for UTF-8 input validation could
>>> expose themself to security threats as invalid UTF-8 sequece would be
>>> considered as valid.
>>>
>>> This bug is fixed in upcoming Boost 1.53.
>>>
>>> For more details see: https://svn.boost.org/trac/boost/ticket/7743
>>>
>>> Users who can't upgrade to the latest versions may apply the following patch
>>> to fix the problem.
>>>
>>> http://cppcms.com/files/locale/boost_locale_utf.patch
>>
>> Perhaps, this should be announced in 1.53 release notes?
>
> It is in release notes quoting:
>
> Locale:
> * Security related bug fix, some invalid UTF-8 sequences where accepted as valid #7743 Also maybe it need to be more
>
> Release managers, maybe we need to make it bolder?

Yes, I think this warrants a bolder announcement, like the one we did
last release for the potentially breaking result_of change. Here I'm
thinking of the red warning on the front page, not necessarily a
separate page describing the issue. The red warning could simply link
directly to the 1.53 release notes.

Daniel, thoughts?

-- 
Eric Niebler
BoostPro Computing
http://www.boostpro.com

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk