CVE-2008-0172

Summary

CVE	CVE-2008-0172
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2008-01-17 23:00:00 UTC
Updated	2018-10-15 21:58:00 UTC
Description	The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Boost	Boost	1.33	All	All	All
Application	Boost	Boost	1.34	All	All	All
Application	Boost	Boost	1.33	All	All	All
Application	Boost	Boost	1.34	All	All	All
Operating System	Ubuntu	Ubuntu Linux	6.06_lts	All	All	All
Operating System	Ubuntu	Ubuntu Linux	6.10	All	All	All
Operating System	Ubuntu	Ubuntu Linux	7.04	All	All	All
Operating System	Ubuntu	Ubuntu Linux	7.10	All	All	All
Operating System	Ubuntu	Ubuntu Linux	6.06_lts	All	All	All
Operating System	Ubuntu	Ubuntu Linux	6.10	All	All	All
Operating System	Ubuntu	Ubuntu Linux	7.04	All	All	All
Operating System	Ubuntu	Ubuntu Linux	7.10	All	All	All

References

Reference	Source	Link	Tags
Gentoo update for boost - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Changeset 42674 – Boost C++ Libraries	CONFIRM	svn.boost.org
USN-570-1: boost vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com
Ubuntu update for boost - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
SUSE Update for Multiple Packages - Advisories - Secunia	SECUNIA	secunia.com
Fedora update for boost - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Boost Regular Expressions Denial of Service Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
SecurityFocus	BUGTRAQ	www.securityfocus.com
wiki.rpath.com/Advisories:rPSA-2008-0063	CONFIRM	wiki.rpath.com
Boost Library Regular Expression Remote Denial of Service Vulnerabilities	BID	www.securityfocus.com
rPath update for boost - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
Changeset 42745 – Boost C++ Libraries	CONFIRM	svn.boost.org
Webmail - OVH	VUPEN	www.vupen.com
[SECURITY] Fedora 7 Update: boost-1.33.1-15.fc7	FEDORA	www.redhat.com
[security-announce] SUSE Security Summary Report SUSE-SR:2008:006	SUSE	lists.opensuse.org
Gentoo Bug 205955 - dev-libs/boost < 1.34.1-r2 Two DoS vulnerabilities (CVE-2008-{0171,0172})	CONFIRM	bugs.gentoo.org
Boost: Denial of Service — Gentoo Linux Documentation	GENTOO	www.gentoo.org
Advisories \| Mandriva	MANDRIVA	www.mandriva.com
Security Advisory SA48099 - Red Hat update for boost - Secunia	SECUNIA	secunia.com
issues.rpath.com/browse/RPL-2143	CONFIRM	issues.rpath.com
Mandriva update for boost - Secunia Advisories - Vulnerability Intelligence - Secunia.com	SECUNIA	secunia.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2008-05-12	Mark J Cox	This issue did not affect the version of boost as shipped with Red Hat Enterprise Linux 4. For Red Hat Enterprise Linux 5, Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-0172 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.

There are currently no legacy QID mappings associated with this CVE.