Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 536448 (CVE-2014-9651)

Summary: <dev-scheme/chicken-4.10.0-r1: buffer overrun vulnerability in CHICKEN Scheme's substring-index[-ci] procedures (CVE-2014-9651)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ewfalor, maksbotan, proxy-maint, scheme
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2015/01/12/3
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-13 08:41:06 UTC
From ${URL} :

I would like to request a CVE for a buffer overrun vulnerability in
CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only
triggered when an integer greater than zero is passed as the optional
START argument. As a work-around users are advised to switch to the
equivalent string-contains procedure from SRFI 13 which is also shipped
with CHICKEN.

All releases of CHICKEN up until 4.9.0.1 are affected.

The issue is fixed by the patch at
http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt. This
fix will be included in the upcoming release versions 4.9.0.2, 4.9.1,
4.10.0, and 5.0.

The patch on the discussion list is
http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/msg00000.html
and it got applied as
http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=25db851b902606741b1a520bd7e4a3fbd12c9b2a
and
http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=63d0445ed379a43343cfcea7032a284cf7deca2b

For the official announcement, see
http://lists.nongnu.org/archive/html/chicken-users/2015-01/msg00048.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 erik falor 2015-08-05 03:48:00 UTC
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 2 erik falor 2015-08-08 22:57:04 UTC
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:38 UTC
This issue was resolved and addressed in
 GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54
by GLSA coordinator Thomas Deutschmann (whissi).