tags 677197 + patch
tags 677197 + pending
thanks
Dear maintainer,
I've prepared an NMU for boost1.49 (versioned as 1.49.0-3.1) and
uploaded it to DELAYED/02. Please feel free to tell me if I
should delay it longer.
Cheers
Luk
diff -Nru boost1.49-1.49.0/debian/changelog boost1.49-1.49.0/debian/changelog
--- boost1.49-1.49.0/debian/changelog 2012-05-05 07:31:50.000000000 +0200
+++ boost1.49-1.49.0/debian/changelog 2012-06-23 08:43:10.000000000 +0200
@@ -1,3 +1,11 @@
+boost1.49 (1.49.0-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2012-2677_trac-78326.patch: Fixes buffer overflow
+ Closes: #677197
+
+ -- Luk Claes <l...@debian.org> Sat, 23 Jun 2012 08:41:48 +0200
+
boost1.49 (1.49.0-3) unstable; urgency=low
* gcc4.7_trac-6790.patch:
diff -Nru boost1.49-1.49.0/debian/patches/CVE-2012-2677_trac-78326.patch boost1.49-1.49.0/debian/patches/CVE-2012-2677_trac-78326.patch
--- boost1.49-1.49.0/debian/patches/CVE-2012-2677_trac-78326.patch 1970-01-01 01:00:00.000000000 +0100
+++ boost1.49-1.49.0/debian/patches/CVE-2012-2677_trac-78326.patch 2012-06-23 09:04:20.000000000 +0200
@@ -0,0 +1,122 @@
+Index: boost/pool/pool.hpp
+===================================================================
+--- a/boost/pool/pool.hpp (revision 78317)
++++ b/boost/pool/pool.hpp (revision 78326)
+@@ -27,4 +27,6 @@
+ #include <boost/pool/poolfwd.hpp>
+
++// std::numeric_limits
++#include <boost/limits.hpp>
+ // boost::math::static_lcm
+ #include <boost/math/common_factor_ct.hpp>
+@@ -358,4 +360,13 @@
+ }
+
++ size_type max_chunks() const
++ { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
++ size_type partition_size = alloc_size();
++ size_type POD_size = math::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
++ size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
++
++ return max_chunks;
++ }
++
+ static void * & nextof(void * const ptr)
+ { //! \returns Pointer dereferenced.
+@@ -377,5 +388,7 @@
+ //! the first time that object needs to allocate system memory.
+ //! The default is 32. This parameter may not be 0.
+- //! \param nmax_size is the maximum number of chunks to allocate in one block.
++ //! \param nmax_size is the maximum number of chunks to allocate in one block.
++ set_next_size(nnext_size);
++ set_max_size(nmax_size);
+ }
+
+@@ -400,7 +413,7 @@
+ }
+ void set_next_size(const size_type nnext_size)
+- { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
+- //! \returns nnext_size.
+- next_size = start_size = nnext_size;
++ { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
++ BOOST_USING_STD_MIN();
++ next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
+ }
+ size_type get_max_size() const
+@@ -410,5 +423,6 @@
+ void set_max_size(const size_type nmax_size)
+ { //! Set max_size.
+- max_size = nmax_size;
++ BOOST_USING_STD_MIN();
++ max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
+ }
+ size_type get_requested_size() const
+@@ -713,7 +727,7 @@
+ BOOST_USING_STD_MIN();
+ if(!max_size)
+- next_size <<= 1;
++ set_next_size(next_size << 1);
+ else if( next_size*partition_size/requested_size < max_size)
+- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+ // initialize it,
+@@ -753,7 +767,7 @@
+ BOOST_USING_STD_MIN();
+ if(!max_size)
+- next_size <<= 1;
++ set_next_size(next_size << 1);
+ else if( next_size*partition_size/requested_size < max_size)
+- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+ // initialize it,
+@@ -797,4 +811,6 @@
+ //! \returns Address of chunk n if allocated ok.
+ //! \returns 0 if not enough memory for n chunks.
++ if (n > max_chunks())
++ return 0;
+
+ const size_type partition_size = alloc_size();
+@@ -845,7 +861,7 @@
+ BOOST_USING_STD_MIN();
+ if(!max_size)
+- next_size <<= 1;
++ set_next_size(next_size << 1);
+ else if( next_size*partition_size/requested_size < max_size)
+- next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++ set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+ // insert it into the list,
+Index: libs/pool/test/test_bug_6701.cpp
+===================================================================
+--- a/libs/pool/test/test_bug_6701.cpp (revision 78326)
++++ b/libs/pool/test/test_bug_6701.cpp (revision 78326)
+@@ -0,0 +1,27 @@
++/* Copyright (C) 2012 Ãtienne Dupuis
++*
++* Use, modification and distribution is subject to the
++* Boost Software License, Version 1.0. (See accompanying
++* file LICENSE_1_0.txt or http://www.boost.org/LICENSE_1_0.txt)
++*/
++
++// Test of bug #6701 (https://svn.boost.org/trac/boost/ticket/6701)
++
++#include <boost/pool/object_pool.hpp>
++#include <boost/limits.hpp>
++
++int main()
++{
++ boost::pool<> p(1024, std::numeric_limits<size_t>::max() / 768);
++
++ void *x = p.malloc();
++ BOOST_ASSERT(!x);
++
++ BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_next_size());
++ BOOST_ASSERT(std::numeric_limits<size_t>::max() / 1024 >= p.get_max_size());
++
++ void *y = p.ordered_malloc(std::numeric_limits<size_t>::max() / 768);
++ BOOST_ASSERT(!y);
++
++ return 0;
++}
diff -Nru boost1.49-1.49.0/debian/patches/series boost1.49-1.49.0/debian/patches/series
--- boost1.49-1.49.0/debian/patches/series 2012-05-05 05:17:55.000000000 +0200
+++ boost1.49-1.49.0/debian/patches/series 2012-06-23 08:41:42.000000000 +0200
@@ -10,3 +10,4 @@
gcc4.7_trac-76970.patch
gcc4.7_trac-6431.patch
gcc4.7_trac-6331.patch
+CVE-2012-2677_trac-78326.patch
