Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 486350 (CVE-2013-4385)

Summary: <dev-scheme/chicken-4.10.0: "read-string!" Buffer Overflow Vulnerability (CVE-2013-4385)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: ewfalor, maksbotan, proxy-maint, scheme
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 467966    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-09-28 18:43:30 UTC
From ${URL} :


A vulnerability has been reported in CHICKEN, which can be exploited by malicious people to 
compromise a vulnerable system.

The vulnerability is caused due to an error within the "read-string!" procedure in the "extras" 
unit when "#f" is passed as the buffer size and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions and prior.

Apply patch or update to version when available.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-10-16 01:28:44 UTC
CVE-2013-4385 (
  Buffer overflow in the "read-string!" procedure in the "extras" unit in
  CHICKEN stable before and development snapshots before 4.8.2 allows
  remote attackers to cause a denial of service (memory corruption and
  application crash) or execute arbitrary code via a "#f" value in the NUM
Comment 2 erik falor 2015-08-05 03:47:18 UTC
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 3 erik falor 2015-08-08 22:56:20 UTC
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:22 UTC
This issue was resolved and addressed in
 GLSA 201612-54 at
by GLSA coordinator Thomas Deutschmann (whissi).