Update version of Boost?

[Colin]

Seems that boost 1.46.1 has the following potential buffer overflow vulnerability:

Integer overflows in ordered_malloc() Boost pool. Also see bug #6701 in the changeset. This vulnerability is currently fixed in the Boost SVN repository.

More info: https://svn.boost.org/trac/boost/changeset/78326

Any plans to pick up this fix for firebreath-boost? Large companies don't like their products to be using libraries which contain buffer overflow vulnerabilities :-(

[Richard Bateman]

This is the first I've heard about an actual vulnerability in the version of boost currently packaged with FireBreath.  I will update it as soon as I have the chance; that may not be this week. It's been on my to-do list for awhile.

In the mean time you have the following options to satisfy the management of whichever large company you're concerned about:

1) Update it yourself and send me a pull request

2) Use your own boost installation and the WITH_SYSTEM_BOOST option (for details look on the firebreath website, search for prep scripts)

3) Don't use boost pool

Hope that helps!

Richard

[Colin Blake]

Super fast response, Richard, as usual.

If you'll be updating firebreath-boost sometime in the next couple of weeks I'll just wait for that.

Thanks for all your hard work on FireBreath.

Colin.