Summary: | <dev-scheme/chicken-4.10.0: buffer overrun (CVE-2014-3776) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ewfalor, maksbotan, proxy-maint, scheme |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/05/18/3 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 467966 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-05-19 07:31:22 UTC
CHICKEN 4.9.0 and a possible 4.8.0.7 will include the fix, as will all development snapshots starting with 4.9.1. http://lists.gnu.org/archive/html/chicken-announce/2014-05/msg00001.html CVE-2014-3776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3776): Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit in CHICKEN stable 4.8.0.7 and development snapshots before 4.9.1 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via a "#f" value in the NUM argument. I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues. I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966 This issue was resolved and addressed in GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54 by GLSA coordinator Thomas Deutschmann (whissi). |