On 18/04/2024 07:52, kamallochan Jena via Boost-users wrote:
Hello everyone, Hope you all are doing well.
There is a Vulnerability reported on Boost library as mentioned below. Any guidance or assistance or reply to this mail would be greatly appreciated.
*Vulnerability ID:* BDSA-2018-2656 *Vulnerability Details:* Boost has a flaw in the function boost::re_detail_NUMBER::basic_regex_creator which can lead to a buffer over-read. An attacker can craft and send a malicious file which will trigger the buffer over-read, leading to a denial-of-service.
Few query w.r.t boost::re_detail_NUMBER::basic_regex_creator() function:
1. Does Boost.Regex library or any Boost library internally use this function? Yes, of course. 2. If the answer is yes, Which all libraries use this function? No idea. 3. Is this a known vulnerability and is it fixed in the latest Boost version? please provide some insights like (any change list or file name etc).
If you follow the links to https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6708 you'll see it marked as fixed back in 2018. John.