Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 552202 (CVE-2015-4556) - <dev-scheme/chicken-4.10.0: out-of-bounds read in CHICKEN Scheme's string-translate* procedure (CVE-2015-4556)
Summary: <dev-scheme/chicken-4.10.0: out-of-bounds read in CHICKEN Scheme's string-tra...
Alias: CVE-2015-4556
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on: CVE-2013-2024
  Show dependency tree
Reported: 2015-06-15 15:14 UTC by Agostino Sarubbo
Modified: 2016-12-31 15:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-06-15 15:14:36 UTC
From ${URL} :

It was discovered that the string-translate*
procedure from the data-structures unit can scan beyond the input string's
length up to the length of the source strings in the map that's passed to
string-translate*.  This issue was fixed in master 8a46020, and it will
make its way into CHICKEN 4.10.

This bug is present in all released versions of CHICKEN.

Upstream patches:

CVE request:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-06-22 07:24:58 UTC
cannot yet find any patch. I presume you mean revbump. The last release of chicken-4.9.0 was date 2014-11-18. That's 7 months ago now.
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2015-07-13 07:30:07 UTC
According to the Description of 2015-06-15 10:13:44 EDT in
some patches were made available. 
Also CVE request:

Awaiting proxy maintainer to acquire and runtest these.
Comment 3 erik falor 2015-08-05 03:48:22 UTC
I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 4 erik falor 2015-08-08 22:57:21 UTC
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 15:29:38 UTC
Please use this bug to continue with the vulnerability as the other bug is in GLSA status.

Setting status to stable? waiting for review of proxy maintainers.

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 6 erik falor 2015-08-10 17:02:16 UTC
Please proceed with stabilization.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-08-11 13:30:31 UTC
Waiting on proxy maintainers to look over the ebuild and add it to tree, before calling for stabilization.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 13:39:19 UTC
Ping on Proxy Maintainers, have been a month.
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2015-09-13 16:35:47 UTC
The bump declared in bug 467966. Passes basic runtest but the bump has been added for the benefit of these sec issues.  Maintainer has yet to do improvements style and syntax outlined in that bug. Sec team proceed to call for stablilising as you see fit.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-12-21 14:55:23 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:46 UTC
This issue was resolved and addressed in
 GLSA 201612-54 at
by GLSA coordinator Thomas Deutschmann (whissi).