Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 467966 (CVE-2013-2024) - <dev-scheme/chicken-4.10.0-r1 : OS command injection vulnerability (CVE-2013-2024)
Summary: <dev-scheme/chicken-4.10.0-r1 : OS command injection vulnerability (CVE-2013-...
Status: RESOLVED FIXED
Alias: CVE-2013-2024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 476172
Blocks: CVE-2013-4385 CVE-2014-3776 529882 CVE-2015-4556
  Show dependency tree
 
Reported: 2013-04-30 08:53 UTC by Agostino Sarubbo
Modified: 2016-12-31 15:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ebuild for latest version CHICKEN (chicken-4.10.0.ebuild.tgz,2.10 KB, application/octet-stream)
2015-08-08 22:54 UTC, erik falor
no flags Details
style updated CHICKEN 4.10.0 ebuild (chicken-4.10.0.ebuild,1.75 KB, text/plain)
2015-09-16 03:41 UTC, erik falor
no flags Details
Further refined style per Ian Delaney (chicken-4.10.0.ebuild,1.80 KB, text/plain)
2015-09-21 14:52 UTC, erik falor
no flags Details
Refined per Ian's recommendations (chicken-4.10.0.ebuild,1.64 KB, text/plain)
2015-10-16 06:08 UTC, erik falor
no flags Details
Further refinements (chicken-4.10.0.ebuild,1.64 KB, text/plain)
2015-10-16 19:08 UTC, erik falor
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-04-30 08:53:29 UTC
From ${URL} :

I'd like to request a CVE identifier for a bug in Chicken Scheme which
allows a malicious user to cause shell command execution through
injection of a pipe symbol and possibly other shell meta characters.

This bug is present in all versions of CHICKEN.  It will be fixed
in 4.8.3 and 4.8.2 as per commit 58684f69572453acc6fed7326fa9df39be98760e.
Version 4.9.0 will likely be the first stable release to include this
fix, unless it is decided to backport this fix to the stability release.

The full announcement is here:
http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
Comment 1 erik falor 2013-04-30 21:53:02 UTC
According to upstream, this will be fixed in Chicken 4.9.0
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-07-03 21:59:48 UTC
Patch available at [1].

[1] http://lists.nongnu.org/archive/html/chicken-hackers/2013-04/msg00060.html
Comment 3 Michael Weber (RETIRED) gentoo-dev 2013-07-08 13:41:21 UTC
+*chicken-4.8.0.3-r1 (08 Jul 2013)
+
+  08 Jul 2013; Michael Weber <xmw@gentoo.org> +chicken-4.8.0.3-r1.ebuild,
+  +files/chicken-4.8.0.3-CVE-2013-1874.patch,
+  +files/chicken-4.8.0.3-CVE-2013-2024.patch,
+  +files/chicken-4.8.0.3-CVE-2013-2075_1.patch,
+  +files/chicken-4.8.0.3-CVE-2013-2075_2.patch:
+  Revbump to include security patches (bugs 462458, 469392, 467966)
+
Comment 4 erik falor 2015-08-05 03:46:29 UTC
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 5 erik falor 2015-08-08 22:54:08 UTC
Created attachment 408582 [details]
ebuild for latest version CHICKEN

This issue has been fixed in CHICKEN 4.10.0. See attached ebuild.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 15:28:05 UTC
This bug is in glsa status, bug #552202 should be used for Chicken.
Comment 7 Ian Delaney (RETIRED) gentoo-dev 2015-08-13 02:58:39 UTC
(In reply to erik falor from comment #5)
> Created attachment 408582 [details]
> ebuild for latest version CHICKEN
> 
> This issue has been fixed in CHICKEN 4.10.0. See attached ebuild.

1. RDEPEND="emacs? ( virtual/emacs app-emacs/scheme-complete )"

While this 'works', by convention deps are listed one per line;

RDEPEND="emacs? ( virtual/emacs 
                  app-emacs/scheme-complete )"

2. if use "parallel-build"
Use of conditional patching often receives negative critique. Unless the patch breaks the normal build, just patch it. With eclass eutils you can utilise var PATCHES, prior to src_prepare.  It reduces from 4 lines to one.

3. You can also reduce lines 

      defaults.make rules.make \
      || die "sed failed"

to

      defaults.make rules.make || die

I wonder if the 10 Makefiles of the 2nd statement can be reduced Makefile.* 

Also the final two statements both edit the one file, defaults.make

sed "s,\$(PREFIX)/lib,\$(PREFIX)/$(get_libdir)," -i defaults.make || die "sed failed"
sed "s,\$(DATADIR)/doc,\$(SHAREDIR)/doc/${P}," -i defaults.make || die "sed failed"

It's more common form is to use '- e'

(1 tab space)  sed -e "s first statement" \
(2 tab spaces)        -e  "s second statement"
(2 tab spaces)        -i defaults.make

Functionally equivalent, on line longer; purely style.
Listing so many Makefiles over 2 sed statements invites use of a patch instead. 
All 4 statements address use of vars used by portage. A patch is cleaner and removes all sytax style issues.

The content I haven't runtested yet. I shall await an updated attachment.  Also such a tiny file doesn't require or warrant compression.
Comment 8 Ian Delaney (RETIRED) gentoo-dev 2015-09-13 16:30:08 UTC
In response to concern over Bug 552202

commit 2ba4fbcaa5f7a7983ab7d4fd3d13eb53c8d45d7a
Author: Ian Delaney <idella4@gentoo.org>
Date:   Mon Sep 14 00:23:34 2015 +0800

    dev-scheme/chicken: bump to 4.10.0
    
    ebuild and patch submitted by maintainer in sec bug #467966

No reply from maintainer at this point.

Note: Points of style in previous Comment not changed, they still 'work'.  I have removed some entries of "|| die" terminating helper funcs which would trigger qa violations. There may be others.  These points can be done later.
Comment 9 erik falor 2015-09-16 03:41:44 UTC
Created attachment 412012 [details]
style updated CHICKEN 4.10.0 ebuild

I have applied Ian's style suggestions to the ebuild.

I'm not confident enough in the whole parallel-build thing to force it upon all users by default. Insofar as it hasn't been merged in over 5 years, it seems that upstream doesn't trust it that well themselves. I will favor Gentoo best practices and simplicity instead.
Comment 10 Ian Delaney (RETIRED) gentoo-dev 2015-09-18 04:11:10 UTC
(In reply to erik falor from comment #9)
> Created attachment 412012 [details]
> 
> I'm not confident enough in the whole parallel-build thing to force it upon
> all users by default. Insofar as it hasn't been merged in over 5 years, it
> seems that upstream doesn't trust it that well themselves. I will favor
> Gentoo best practices and simplicity instead.

You're sure you wish to drop the use parallel-build and the patch?
In my local copy I've edited around line 27 to

        sed "s,A\(\s?=\|)\),chicken&," \
                -i Makefile.cross-linux-mingw defaults.make rules.make || die
        sed "s,ARCH,zARCH," \
                -i Makefile.* defaults.make rules.make || die

The line was very long, the above is a convention used in writing sed statements. It has the benefit of reducing long lines > 80 chars which is a length recommended in ebuilds. Sometimes exceeding that can't be avoided.

In your adjusted ebuild you left in, re re-introduced, instances of "|| die" to helper functions. e.g. LINKER_OPTIONS="${LDFLAGS}" install || die belongs tpo emake from the previous line, & dodoc NEWS || die.

Await reply to this before moving.
Comment 11 erik falor 2015-09-21 14:51:37 UTC
(In reply to Ian Delaney from comment #10)
> You're sure you wish to drop the use parallel-build and the patch?

Yes, I'm sure of it.

> In my local copy I've edited around line 27 to
> 
>         sed "s,A\(\s?=\|)\),chicken&," \
>                 -i Makefile.cross-linux-mingw defaults.make rules.make || die
>         sed "s,ARCH,zARCH," \
>                 -i Makefile.* defaults.make rules.make || die

I think that this is fine. I've applied it to the attached ebuild.

> In your adjusted ebuild you left in, re re-introduced, instances of "|| die"
> to helper functions. e.g. LINKER_OPTIONS="${LDFLAGS}" install || die belongs
> tpo emake from the previous line, & dodoc NEWS || die.

After more carefully reading
https://devmanual.gentoo.org/ebuild-writing/error-handling/index.html I now
understand what you mean. See the latest attachment.
Comment 12 erik falor 2015-09-21 14:52:34 UTC
Created attachment 412458 [details]
Further refined style per Ian Delaney
Comment 13 Ian Delaney (RETIRED) gentoo-dev 2015-09-22 14:30:42 UTC
(In reply to erik falor from comment #12)
> Created attachment 412458 [details]
> Further refined style per Ian Delaney

Some minor changes to accommodate doing a revbump which is now warranted considering the withdrawal of the use flag and the patch.  The doc site is not "${D}"/usr/share/doc/${P} 
but rather
"${D}"usr/share/doc/${PF} so making a revbump, the docs are split between
image/usr/share/doc/chicken-4.10.0  and
image/usr/share/doc/chicken-4.10.0-r1

1. The ebuild now has docs to have README.bz2, NEWS.bz2. So you need set the var DOCS to capture them, either globally or with local in src_install().
2. The LICENSE is better removed early on in src_prepare than src_install.
3. The auto install of the docs is nasty. Similarly, rather than remove them after they're installed, we remove them in src_prepare, so simply shift it to src_prepare, however the folder in ${S} is called manual-html. So edit
rm -rf "${D}"usr/share/doc/${P}/manual to remove manual-html from ${S}
4. The install of the docs is then done within src_install with is use doc; then
Use the helper func 'dodoc -r' which is the replacement to the defunct dohtml.

These are simple edits.  Install of docs and DOCS are fundamental steps and warrant these improvements. If removal of the pre-built docs under manual-html triggers error because they are hard coded and expected to be present, either leave as is or feel free to join the new channel in irc for further support. (See the project page of proxy-maintainers in the wiki)
Comment 14 erik falor 2015-10-16 06:08:46 UTC
Created attachment 414678 [details]
Refined per Ian's recommendations

Applied Ian's suggestions, tested with and without USE=doc.
Comment 15 Brendan Horan 2015-10-16 07:19:31 UTC
Tested (In reply to erik falor from comment #14)
> Created attachment 414678 [details]
> Refined per Ian's recommendations
> 
> Applied Ian's suggestions, tested with and without USE=doc.

Tested the attached ebuild.
No issues during build or merge.
No errors reported.

Just a small side note, if you could name your attachments with the name of the ebuild it would make testing it a lot easier.  eg "chicken-4.10.0-r1.ebuild" or something like that.
Comment 16 Patrice Clement gentoo-dev 2015-10-16 07:46:58 UTC
DOCS should be an array and not a string as per https://github.com/gentoo/gentoo/blob/master/eclass/base.eclass#L27
Comment 17 Ian Delaney (RETIRED) gentoo-dev 2015-10-16 08:42:04 UTC
it still has:

-e "s,\$(DATADIR)/doc,\$(SHAREDIR)/doc/${P}," \
remember:

The doc site is not "${D}"/usr/share/doc/${P} 
but rather
"${D}"usr/share/doc/${PF} so making a revbump, the docs are split between
image/usr/share/doc/chicken-4.10.0  and
image/usr/share/doc/chicken-4.10.0-r1

also a bash array is now preferred over " "; so
DOCS=( NEWS README LICENSE )

timeout 3-5 days or I'll do the changes this end.
Comment 18 erik falor 2015-10-16 19:08:20 UTC
Created attachment 414732 [details]
Further refinements

DOCS is now an array.
sed now edits defaults.make to put the docs under ${PF} instead of ${P}
Comment 19 Ian Delaney (RETIRED) gentoo-dev 2015-10-17 00:49:51 UTC
commit 08db0a2d383e2e8e62259ef2ae6d42b0b3c30d09
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sat Oct 17 08:46:28 2015 +0800

    dev-scheme/chicken: revbump
    
    drop use of parallel-build and the -parallel-build.patch by request
    of proxy maintainer via the gentoo bug, also many stylistic and qa
    improvements to the code of the ebuild
    
    Gentoo bug: #467966

Do you wish to have the chicken-4.10.0.ebuild and the corresponding patch dropped?
Comment 20 erik falor 2015-10-17 03:27:06 UTC
Yes, let's drop the patch and the 4.10.0 ebuild.  I would go even further and suggest  the 4.8.0.3 ebuild be dropped due to the open security concerns that are fixed in later releases. So doing will finally allow us to close this and a handful of other chicken bugs.
Comment 21 Ian Delaney (RETIRED) gentoo-dev 2015-10-17 07:43:14 UTC
commit a6495dbc02107746a4759d7ce81c706261f6e3a6
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sat Oct 17 15:40:08 2015 +0800

    dev-scheme/chicken: clean affected version -4.10.0, patch
    
    Gentoo Security bug: #467966


Arch teams please make stable =dev-scheme/chicken-4.10.0-r1:
  
Target arches:    alpha amd64 ppc ppc64 x86
Comment 22 Tobias Klausmann gentoo-dev 2015-10-21 12:29:02 UTC
Stable on alpha.
Comment 23 Agostino Sarubbo gentoo-dev 2015-10-23 10:34:50 UTC
amd64 stable
Comment 24 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-11-01 13:11:15 UTC
x86 stable
Comment 25 Agostino Sarubbo gentoo-dev 2015-11-04 14:27:04 UTC
ppc stable
Comment 26 Agostino Sarubbo gentoo-dev 2015-11-13 09:48:41 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 27 Ian Delaney (RETIRED) gentoo-dev 2015-11-15 01:08:29 UTC
commit f8dfa3a9d8e9f2db504883fd9b62cf9732b3c9ed
Author: Ian Delaney <idella4@gentoo.org>
Date:   Sun Nov 15 09:01:26 2015 +0800

    dev-scheme/chicken: cleanup; rm vn. 4.10.0-r1 wrt the gentoo bug
    
    Gentoo bug: #467966
Comment 28 Yury German Gentoo Infrastructure gentoo-dev 2015-12-21 14:55:59 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 29 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-21 13:05:01 UTC
Still pending GLSA.
Comment 30 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:10 UTC
This issue was resolved and addressed in
 GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54
by GLSA coordinator Thomas Deutschmann (whissi).