REDHAT-BUG-907481: Input Validation
A security flaw was found in the way UTF-8 decoder of boost, set of free peer-reviewed portable C++ source libraries, performed validation of certain UTF-8 encoded sequences. If an application, linked against boost used the UTF-8 decoding routines for input validation (and depended at the results), an attacker could use this flaw to confuse the validator into (errorneously) accepting them as valid.
Upstream bug report: [1] https://svn.boost.org/trac/boost/ticket/7743
Upstream advisory: [2] http://www.boost.org/users/news/boostlocalesecuritynotice.html
Relevant upstream patch: [3] http://cppcms.com/files/locale/boostlocaleutf.patch
References: [4] http://www.openwall.com/lists/oss-security/2013/02/04/1 [5] http://www.openwall.com/lists/oss-security/2013/02/04/2
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-907481?
The severity of REDHAT-BUG-907481 is considered moderate due to potential input validation issues.
How do I fix REDHAT-BUG-907481?
To fix REDHAT-BUG-907481, update to the latest version of Boost that addresses the UTF-8 decoding issue.
What are the risks associated with REDHAT-BUG-907481?
The risks associated with REDHAT-BUG-907481 include data corruption and potential security vulnerabilities from improper UTF-8 input handling.
Which versions of Boost are affected by REDHAT-BUG-907481?
All versions of Boost that implement the flawed UTF-8 decoding routines are affected by REDHAT-BUG-907481.
Is there a workaround for REDHAT-BUG-907481?
A temporary workaround for REDHAT-BUG-907481 may include manually validating UTF-8 encoded sequences before processing them.