Boost.Graph security issues
Dear Boost community, I've recently received a few security issue notifications from both the Google Chrome fuzzer project and Shielder (part of an OSTIF project), and basically I'm not sure how much to worry about them. I don't have time to fix them (but I can review and merge fixes), and I don't know how to draw attention to the need to fix them without publicizing the issues (which are still not published). It all depends on how many people actually are exposed via Boost.Graph and to what severity, right? I have no idea, but my gut tells me not many, as most Boost.Graph users I hear about are just using it internally, not exposing the interfaces to input from the Internet. But I'm not a security expert, that's why I'm asking you. What should I do? Thanks, cheers. Jeremy
Fix them now. Security issues are ones you fix immediately. I assume the situation comes from some improper external files handling that can lead to potential exploits. If you can't try to work with projects that reported them on fixing. I had several urgent fixes, one in Boost.Locale due to improper UTF-8 handling. It was actually taken very seriously and patched back to many distros. Artyom On Sat, Apr 13, 2024 at 9:59 AM Jeremy Murphy via Boost < boost@lists.boost.org> wrote:
What should I do?
Not sure if you didn't read my email carefully or I didn't explain it well,
but I don't have time to fix them, I'm asking for advice on how to balance
requesting help from the community to fix them with not divulging the
issues to the public.
The least cautious course of action might be: open bug reports for all the
security issues and explicitly mention them on this list.
The more cautious course of action would be to have a private discussion
with members of the community to resolve the issues without any public
discussion.
On that note, I guess I'll just start off cautious: if you have time to fix
some bugs and have at least some standing in the community so that I know
that you're not a bad actor, please contact me.
Thanks, cheers.
Jeremy
On Sat, 13 Apr 2024, 5:47 pm Artyom Beilis via Boost,
Fix them now. Security issues are ones you fix immediately. I assume the situation comes from some improper external files handling that can lead to potential exploits. If you can't try to work with projects that reported them on fixing.
I had several urgent fixes, one in Boost.Locale due to improper UTF-8 handling. It was actually taken very seriously and patched back to many distros.
Artyom
On Sat, Apr 13, 2024 at 9:59 AM Jeremy Murphy via Boost < boost@lists.boost.org> wrote:
What should I do?
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Maybe the question I should be asking is, is there a private Boost mailing
list exactly for dealing with security issues before they're made public?
If so, I need to get on it!
On Sat, 13 Apr 2024, 7:41 pm Jeremy Murphy,
Not sure if you didn't read my email carefully or I didn't explain it well, but I don't have time to fix them, I'm asking for advice on how to balance requesting help from the community to fix them with not divulging the issues to the public. The least cautious course of action might be: open bug reports for all the security issues and explicitly mention them on this list. The more cautious course of action would be to have a private discussion with members of the community to resolve the issues without any public discussion. On that note, I guess I'll just start off cautious: if you have time to fix some bugs and have at least some standing in the community so that I know that you're not a bad actor, please contact me. Thanks, cheers. Jeremy
On Sat, 13 Apr 2024, 5:47 pm Artyom Beilis via Boost, < boost@lists.boost.org> wrote:
Fix them now. Security issues are ones you fix immediately. I assume the situation comes from some improper external files handling that can lead to potential exploits. If you can't try to work with projects that reported them on fixing.
I had several urgent fixes, one in Boost.Locale due to improper UTF-8 handling. It was actually taken very seriously and patched back to many distros.
Artyom
On Sat, Apr 13, 2024 at 9:59 AM Jeremy Murphy via Boost < boost@lists.boost.org> wrote:
What should I do?
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
I'm curious. I have a fair bit of experience with Boost Graph[1] I might have a look. At least as a triage step? Let me know if I can still be of assistance, Seth [1] https://stackoverflow.com/search?q=user%3A85371+boost+graph On Sat, Apr 13, 2024, at 8:58 AM, Jeremy Murphy via Boost wrote:
Dear Boost community,
I've recently received a few security issue notifications from both the Google Chrome fuzzer project and Shielder (part of an OSTIF project), and basically I'm not sure how much to worry about them. I don't have time to fix them (but I can review and merge fixes), and I don't know how to draw attention to the need to fix them without publicizing the issues (which are still not published). It all depends on how many people actually are exposed via Boost.Graph and to what severity, right? I have no idea, but my gut tells me not many, as most Boost.Graph users I hear about are just using it internally, not exposing the interfaces to input from the Internet. But I'm not a security expert, that's why I'm asking you. What should I do?
Thanks, cheers.
Jeremy
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
Thanks, Seth, I'll email you directly soon.
On Sun, 14 Apr 2024, 8:41 am Seth via Boost,
I'm curious. I have a fair bit of experience with Boost Graph[1]
I might have a look. At least as a triage step?
Let me know if I can still be of assistance, Seth
[1] https://stackoverflow.com/search?q=user%3A85371+boost+graph
On Sat, Apr 13, 2024, at 8:58 AM, Jeremy Murphy via Boost wrote:
Dear Boost community,
I've recently received a few security issue notifications from both the Google Chrome fuzzer project and Shielder (part of an OSTIF project), and basically I'm not sure how much to worry about them. I don't have time to fix them (but I can review and merge fixes), and I don't know how to draw attention to the need to fix them without publicizing the issues (which are still not published). It all depends on how many people actually are exposed via Boost.Graph and to what severity, right? I have no idea, but my gut tells me not many, as most Boost.Graph users I hear about are just using it internally, not exposing the interfaces to input from the Internet. But I'm not a security expert, that's why I'm asking you. What should I do?
Thanks, cheers.
Jeremy
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
_______________________________________________ Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost
participants (3)
-
Artyom Beilis -
Jeremy Murphy -
Seth