Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620320 (CVE-2017-9334) - <dev-scheme/chicken-4.13.0-r1: Unsafe pointer dereference due to incorrect pair? check in Scheme "length" procedure
Summary: <dev-scheme/chicken-4.13.0-r1: Unsafe pointer dereference due to incorrect pa...
Status: RESOLVED FIXED
Alias: CVE-2017-9334
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-11343
Blocks: CVE-2016-6830, CVE-2016-6831 CVE-2017-6949
  Show dependency tree
 
Reported: 2017-06-01 08:15 UTC by Agostino Sarubbo
Modified: 2018-06-11 15:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-06-01 08:15:04 UTC
From ${URL} :

An incorrect "pair?" check in the Scheme "length" procedure results in an unsafe pointer dereference in all CHICKEN Scheme versions prior to 4.13, which allows an attacker to cause a denial of service 
by passing an improper list to an application that calls "length" on it.

Reference:

https://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-07-17 00:18:18 UTC
@maintainer(s), please bump this.  Several open bugs exist.  Next step is PMASK.
Comment 2 Maxim Koltsov (RETIRED) gentoo-dev 2018-03-15 20:42:21 UTC
I've added chicken-4.13, which fixed all CVEs:

https://code.call-cc.org/releases/4.13.0/NEWS
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:08:18 UTC
tree is clean.

GLSA Vote: No