From ${URL} : Description A vulnerability has been reported in CHICKEN, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the "read-string!" procedure in the "extras" unit when "#f" is passed as the buffer size and can be exploited to cause a buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions 4.8.0.4 and prior. Solution: Apply patch or update to version 4.8.0.5 when available. Provided and/or discovered by: Reported by the vendor. Original Advisory: CHICKEN Team: http://lists.nongnu.org/archive/html/chicken-announce/2013-09/msg00000.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
CVE-2013-4385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4385): Buffer overflow in the "read-string!" procedure in the "extras" unit in CHICKEN stable before 4.8.0.5 and development snapshots before 4.8.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a "#f" value in the NUM argument.
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
This issue was resolved and addressed in GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54 by GLSA coordinator Thomas Deutschmann (whissi).
