Hello, On Wed, Aug 12, 2009 at 3:24 PM, Christian Eckstein <halserbe@gmail.com>wrote:
Hi,
I need to know the impact of the following security bulletin on Boost: Microsoft Security Bulletin MS09-03: Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706).
I found usage of ATL only in the range and regex libraries and it seems that only string and array classes are used. None of the problematic methods seem to be used that are described in the checklist at http://msdn.microsoft.com/en-us/visualc/ee309358.aspx.
- No class implements IUnknown so there is no ActiveX control. - No PROP_* macros are used - VT_* is not used - ReadFromStream is not used
I think no modification of Boost and no recompilation of the Boost binaries is needed. I would be very happy if somebody could confirm this.
Boost.Range only provides adaptors to work with ATL classes that can be adapted to ranges. This is all done as a header-only library hence if one is not adapting ATL, one does not have an ATL dependency. I can also confirm that even if you were to use 100% code path coverage of the Boost.Range code that you would be free from the security issues in your referenced article.
Kind regards, Christian _______________________________________________
Regards, Neil Groves