Description
Question
Hi
We conduct a software composition analysis scan by Black Duck hub and we found the following :
(1) BDSA-2018-2656
Boost has a flaw in the function boost::re_detail_NUMBER::basic_regex_creator which can lead to a buffer over-read. An attacker can craft and send a malicious file which will trigger the buffer over-read, leading to a denial-of-service.
The vulnerability can be exploited by local attackers via import of a maliciously crafted file or by remote attackers that send the file to a victim. The Boost software will crash when the file is imported into the library.
Details:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6708
(2) BDSA-2018-1263
Boost incorrectly casts from "boost::detail::shared_count::shared_count" to "boost::detail::sp_counted_base" causing type confusion leading to a denial-of-service (DoS).
Details:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4680
Please advise if the following has a patch.