On 1/4/2013 6:28 AM, Artyom Beilis wrote:
From: Andrey Semashev <andrey.semashev@gmail.com> On Friday 04 January 2013 06:15:27 Artyom Beilis wrote:
Hello,
Boost.Locale library in Boost 1.48 to 1.52 including has a security flow.
boost::locale::utf::utf_traits accepted some invalid UTF-8 sequences.
Applications that used these functions for UTF-8 input validation could expose themself to security threats as invalid UTF-8 sequece would be considered as valid.
This bug is fixed in upcoming Boost 1.53.
For more details see: https://svn.boost.org/trac/boost/ticket/7743
Users who can't upgrade to the latest versions may apply the following patch to fix the problem.
Perhaps, this should be announced in 1.53 release notes?
It is in release notes quoting:
Locale: * Security related bug fix, some invalid UTF-8 sequences where accepted as valid #7743 Also maybe it need to be more
Release managers, maybe we need to make it bolder?
Yes, I think this warrants a bolder announcement, like the one we did last release for the potentially breaking result_of change. Here I'm thinking of the red warning on the front page, not necessarily a separate page describing the issue. The red warning could simply link directly to the 1.53 release notes. Daniel, thoughts? -- Eric Niebler BoostPro Computing http://www.boostpro.com