Boost logo

Boost :

Subject: Re: [boost] [Locale] Security bug announcement - UTF-8 validation
From: Eric Niebler (eric_at_[hidden])
Date: 2013-01-04 14:42:05

On 1/4/2013 6:28 AM, Artyom Beilis wrote:
>> From: Andrey Semashev <andrey.semashev_at_[hidden]>
>> On Friday 04 January 2013 06:15:27 Artyom Beilis wrote:
>>> Hello,
>>> Boost.Locale library in Boost 1.48 to 1.52 including has a security flow.
>>> boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
>>> Applications that used these functions for UTF-8 input validation could
>>> expose themself to security threats as invalid UTF-8 sequece would be
>>> considered as valid.
>>> This bug is fixed in upcoming Boost 1.53.
>>> For more details see:
>>> Users who can't upgrade to the latest versions may apply the following patch
>>> to fix the problem.
>> Perhaps, this should be announced in 1.53 release notes?
> It is in release notes quoting:
> Locale:
> * Security related bug fix, some invalid UTF-8 sequences where accepted as valid #7743 Also maybe it need to be more
> Release managers, maybe we need to make it bolder?

Yes, I think this warrants a bolder announcement, like the one we did
last release for the potentially breaking result_of change. Here I'm
thinking of the red warning on the front page, not necessarily a
separate page describing the issue. The red warning could simply link
directly to the 1.53 release notes.

Daniel, thoughts?

Eric Niebler
BoostPro Computing

Boost list run by bdawes at, gregod at, cpdaniel at, john at