From $URL : Recently a handful of security bugs have been found and fixed in the Chicken Scheme compiler (http://www.call-cc.org). We (the core team) have decided we'd like to start using CVE identifiers for the benefit of our users and distributions. I'd like to request CVEs for the currently known security bugs: * POSIX select() buffer overrun, fixed on in Chicken 4.8.2 (development snapshot) by switching to POSIX poll() on platforms where supported. This is also fixed in 4.8.0.1 (stability release). Original announcement, with workaround (followed by preliminary patch): http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html Final patch: http://lists.nongnu.org/archive/html/chicken-hackers/2012-11/msg00075.html * Poisoned NUL byte injection due to incomplete protection by missing checks in some procedures, fixed in Chicken 4.8.0: http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html * Broken randomization procedure on 64-bit platforms (it returned a constant value). This function wasn't used for security purposes (and is advertised as being unsuitable), so I'm unsure a CVE is needed: http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html Fixed in 4.8.0. * Vulnerability to algorithmic complexity attacks due to hash table collisions. Fixed in 4.8.0. First public confirmation of the issue, with preliminary (broken) patch: http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html Proper fix: http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
I have pushed an ebuild for dev-scheme/chicken-4.8.0.1 into the lisp overlay.
--- ChangeLog 2013-01-18 00:22:13.000000000 +0200 +++ ChangeLog.new 2013-02-06 01:50:34.000000000 +0200 @@ -2,6 +2,15 @@ # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/dev-scheme/chicken/ChangeLog,v 1.45 2013/01/17 22:22:13 pchrist Exp $ +*chicken-4.8.0.1 (05 Feb 2013) + + 05 Feb 2013; Panagiotis Christopoulos <pchrist@gentoo.org> + -chicken-4.8.0.ebuild, +chicken-4.8.0.1.ebuild, + +files/chicken-4.8.0.1-parallel-build.patch, + -files/chicken-4.8.0-parallel-build.patch: + Bump chicken to 4.8.0.1, fixes security issues addressed in bug #455200, + thanks to proxy-maintainer Erik Falor (fadein) ewfalor at gmail dot com + *chicken-4.8.0 (17 Jan 2013)
(In reply to comment #2) Thanks, Panagiotis. Is this ebuild ready for stabilization?
Let me do some tests on my stable x86 and amd64 chroots and I'll let you know.
Just pushed 4.8.0.3 . As this is a security issue, go ahead and try to stabilize. In case of bugs, we'll fix them.
(In reply to comment #5) > Just pushed 4.8.0.3 . As this is a security issue, go ahead and try to > stabilize. In case of bugs, we'll fix them. Thank you. Arches, please test and mark stable. Target KEYWORDS: "alpha amd64 ppc ppc64 x86"
B(In reply to comment #5) > Just pushed 4.8.0.3 . As this is a security issue, go ahead and try to > stabilize. In case of bugs, we'll fix them. Before stabilize, did you look at bug 462458 ?
(In reply to comment #7) > Before stabilize, did you look at bug 462458 ? That issue is not fixed in Chicken 4.8.0.3. Though it is fixed in upstream's development branch, it has not yet been part of any stable release. It is expected in version 4.9.0.
(In reply to comment #8) > (In reply to comment #7) > > Before stabilize, did you look at bug 462458 ? > > That issue is not fixed in Chicken 4.8.0.3. Though it is fixed in > upstream's development branch, it has not yet been part of any stable > release. It is expected in version 4.9.0. There is not a way to backport?
that's what we're planning to do
ppc stable
ppc64 stable
alpha stable
x86 stable
amd64 stable
GLSA vote: no
GLSA vote: no Closing as noglsa
