CVE-2013-0252: Input Validation

Published Feb 4, 2013
·
Updated

A security flaw was found in the way UTF-8 decoder of boost, set of free peer-reviewed portable C++ source libraries, performed validation of certain UTF-8 encoded sequences. If an application, linked against boost used the UTF-8 decoding routines for input validation (and depended at the results), an attacker could use this flaw to confuse the validator into (errorneously) accepting them as valid.

Upstream bug report: [1] https://svn.boost.org/trac/boost/ticket/7743

Upstream advisory: [2] http://www.boost.org/users/news/boostlocalesecuritynotice.html

Relevant upstream patch: [3] http://cppcms.com/files/locale/boostlocaleutf.patch

References: [4] http://www.openwall.com/lists/oss-security/2013/02/04/1 [5] http://www.openwall.com/lists/oss-security/2013/02/04/2

Other sources

boost::locale::utf::utftraits in the Boost.Locale library in Boost 1.48 through 1.52 does not properly detect certain invalid UTF-8 sequences, which might allow remote attackers to bypass input validation protection mechanisms via crafted trailing bytes.

MITRE

Affected Software

5 affected components
boost boost=1.48.0
boost boost=1.49.0
boost boost=1.50.0
boost boost=1.51.0
boost boost=1.52.0

Event History

Feb 4, 2013
Data Sourced
02:20 PM
DescriptionSeverityAffected Software
Mar 12, 2013
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
Description
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2013-0252?

CVE-2013-0252 has been classified as a medium severity vulnerability due to its potential impact on applications relying on improper UTF-8 input validation.

2

How do I fix CVE-2013-0252?

To fix CVE-2013-0252, you should update your Boost library to version 1.53.0 or later, where the vulnerability has been addressed.

3

What versions of Boost are affected by CVE-2013-0252?

CVE-2013-0252 affects Boost versions 1.48.0 through 1.52.0.

4

How does CVE-2013-0252 impact applications?

Applications linked against vulnerable versions of Boost may misinterpret UTF-8 encoded sequences, leading to potential security risks.

5

Is it safe to use Boost versions earlier than 1.53.0 after CVE-2013-0252?

It is unsafe to use Boost versions earlier than 1.53.0, as they are susceptible to the vulnerabilities outlined in CVE-2013-0252.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203