Boost C++ Libraries: Ticket #5834: once.cpp: call_once: suffers from lack of uniqueness and synchronization handle manipulations https://svn.boost.org/trac10/ticket/5834 <p> call_once attempts to form a unique mutex name by concatenating 2AC1A572DB6944B0A65C38C4140AF2F4 with the PID. </p> <p> As Wagner and Goldberg taught us, PIDs are a useless source of entropy (or part thereof). See <a class="ext-link" href="http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html"><span class="icon">​</span>http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html</a>. </p> <p> An attacker using Win32 can manipulate synchronization objects by (1) squatting the name 'a priori', (2) creating a different type of object using the same name, and (3) creating the expected object but with lesser permissions than the program expects (ie, remove the ability to 'wait' on the mutex). See <a class="ext-link" href="http://www.softwareintegrity.com/Documents/Old-Dogs-and-New-Tricks.pdf"><span class="icon">​</span>http://www.softwareintegrity.com/Documents/Old-Dogs-and-New-Tricks.pdf</a>. </p> <p> In addition, two different routines within the same program, each expecting to be 'run once', will suffer contention. </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/5834 Trac 1.4.3 Jeffrey Walton <noloader@…> Wed, 31 Aug 2011 00:40:55 GMT component changed; owner set https://svn.boost.org/trac10/ticket/5834#comment:1 https://svn.boost.org/trac10/ticket/5834#comment:1 <ul> <li><strong>owner</strong> set to <span class="trac-author">Anthony Williams</span> </li> <li><strong>component</strong> <span class="trac-field-old">None</span> → <span class="trac-field-new">thread</span> </li> </ul> Ticket viboes Fri, 02 Dec 2011 23:31:52 GMT <link>https://svn.boost.org/trac10/ticket/5834#comment:2 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/5834#comment:2</guid> <description> <p> Do you have any suggestion to improve the current state? </p> </description> <category>Ticket</category> </item> <item> <dc:creator>viboes</dc:creator> <pubDate>Fri, 02 Dec 2011 23:32:03 GMT</pubDate> <title>cc set https://svn.boost.org/trac10/ticket/5834#comment:3 https://svn.boost.org/trac10/ticket/5834#comment:3 <ul> <li><strong>cc</strong> <span class="trac-author">viboes</span> added </li> </ul> Ticket viboes Wed, 07 Dec 2011 01:12:10 GMT <link>https://svn.boost.org/trac10/ticket/5834#comment:4 </link> <guid isPermaLink="false">https://svn.boost.org/trac10/ticket/5834#comment:4</guid> <description> <p> How is this related to <a class="closed ticket" href="https://svn.boost.org/trac10/ticket/5752" title="#5752: Bugs: boost::call_once() is unreliable on some platforms (closed: fixed)">#5752</a> boost::call_once() is unreliable on some platforms? </p> </description> <category>Ticket</category> </item> <item> <dc:creator>viboes</dc:creator> <pubDate>Sat, 10 Dec 2011 15:17:54 GMT</pubDate> <title>owner, status, type changed https://svn.boost.org/trac10/ticket/5834#comment:5 https://svn.boost.org/trac10/ticket/5834#comment:5 <ul> <li><strong>owner</strong> changed from <span class="trac-author">Anthony Williams</span> to <span class="trac-author">viboes</span> </li> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">assigned</span> </li> <li><strong>type</strong> <span class="trac-field-old">Bugs</span> → <span class="trac-field-new">Support Requests</span> </li> </ul> <p> Could you point where in the code this is happening? Moved to support request until clarified. </p> Ticket viboes Thu, 29 Dec 2011 10:41:13 GMT status changed; resolution set https://svn.boost.org/trac10/ticket/5834#comment:6 https://svn.boost.org/trac10/ticket/5834#comment:6 <ul> <li><strong>status</strong> <span class="trac-field-old">assigned</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">invalid</span> </li> </ul> <p> Closed as it seems this doesn't corresponds to the current Boost.Thread implementation. </p> Ticket