Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 536448 (CVE-2014-9651) - <dev-scheme/chicken-4.10.0-r1: buffer overrun vulnerability in CHICKEN Scheme's substring-index[-ci] procedures (CVE-2014-9651)
Summary: <dev-scheme/chicken-4.10.0-r1: buffer overrun vulnerability in CHICKEN Scheme...
Alias: CVE-2014-9651
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2015-01-13 08:41 UTC by Agostino Sarubbo
Modified: 2016-12-31 15:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-13 08:41:06 UTC
From ${URL} :

I would like to request a CVE for a buffer overrun vulnerability in
CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only
triggered when an integer greater than zero is passed as the optional
START argument. As a work-around users are advised to switch to the
equivalent string-contains procedure from SRFI 13 which is also shipped

All releases of CHICKEN up until are affected.

The issue is fixed by the patch at This
fix will be included in the upcoming release versions, 4.9.1,
4.10.0, and 5.0.

The patch on the discussion list is
and it got applied as;a=commit;h=25db851b902606741b1a520bd7e4a3fbd12c9b2a

For the official announcement, see

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 erik falor 2015-08-05 03:48:00 UTC
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 2 erik falor 2015-08-08 22:57:04 UTC
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:38 UTC
This issue was resolved and addressed in
 GLSA 201612-54 at
by GLSA coordinator Thomas Deutschmann (whissi).