| Summary: |
<dev-scheme/chicken-4.13.0-r1: algorithmic complexity attack in hash tables |
| Product: |
Gentoo Security
|
Reporter: |
Agostino Sarubbo <ago> |
| Component: |
Vulnerabilities | Assignee: |
Gentoo Security <security> |
| Status: |
RESOLVED
FIXED
|
|
|
| Severity: |
minor
|
CC: |
ewfalor, maksbotan, proxy-maint, scheme
|
| Priority: |
Normal
|
Flags: |
stable-bot:
sanity-check+
|
| Version: |
unspecified | |
|
| Hardware: |
All | |
|
| OS: |
Linux | |
|
| URL: |
http://www.openwall.com/lists/oss-security/2017/07/17/3
|
| Whiteboard: |
B3 [noglsa cve] |
|
Package list:
|
dev-scheme/chicken-4.13.0-r1 alpha amd64 ppc ppc64 x86
|
Runtime testing required:
|
---
|
|---|
| Bug Depends on: |
|
|
|
| Bug Blocks: |
591378, 612910, 620320
|
|
|
From ${URL} : I just received the CVE-2017-11343 assignment for an issue in CHICKEN Scheme. An attacker is able to cause O(n) lookup for hash tables by predicting the buckets in which interned symbols will end up, due to a partially incorrect fix for CVE-2012-6125 where the randomization factor was determined before initializing the PRNG with a seed state. This issue affects only the Scheme symbol table, not user-created hash tables. All CHICKEN releases up to and including 4.12.0 are affected. More info: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.