| Summary: | <dev-scheme/chicken-4.10.0: "read-string!" Buffer Overflow Vulnerability (CVE-2013-4385) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ewfalor, maksbotan, proxy-maint, scheme |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/55009/ | ||
| Whiteboard: | B2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 467966 | ||
| Bug Blocks: | |||
CVE-2013-4385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4385): Buffer overflow in the "read-string!" procedure in the "extras" unit in CHICKEN stable before 4.8.0.5 and development snapshots before 4.8.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a "#f" value in the NUM argument. I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues. I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966 This issue was resolved and addressed in GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54 by GLSA coordinator Thomas Deutschmann (whissi). |
From ${URL} : Description A vulnerability has been reported in CHICKEN, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the "read-string!" procedure in the "extras" unit when "#f" is passed as the buffer size and can be exploited to cause a buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions 4.8.0.4 and prior. Solution: Apply patch or update to version 4.8.0.5 when available. Provided and/or discovered by: Reported by the vendor. Original Advisory: CHICKEN Team: http://lists.nongnu.org/archive/html/chicken-announce/2013-09/msg00000.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.