boost-for-react-native icon indicating copy to clipboard operation
boost-for-react-native copied to clipboard

Published 20 hours ago verified publisher icon react-native-community

Vulnerability: Denial of Service

Open souless94 opened this issue 5 years ago • 0 comments

Question

Hi We conduct a software composition analysis scan by Black Duck hub and we found the following :

(1) BDSA-2018-2656

Boost has a flaw in the function boost::re_detail_NUMBER::basic_regex_creator which can lead to a buffer over-read. An attacker can craft and send a malicious file which will trigger the buffer over-read, leading to a denial-of-service.

The vulnerability can be exploited by local attackers via import of a maliciously crafted file or by remote attackers that send the file to a victim. The Boost software will crash when the file is imported into the library. Details: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6708

(2) BDSA-2018-1263

Boost incorrectly casts from "boost::detail::shared_count::shared_count" to "boost::detail::sp_counted_base" causing type confusion leading to a denial-of-service (DoS). Details: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4680

Please advise if the following has a patch.

souless94 avatar Feb 27 '20 01:02 souless94