From ${URL} : I'd like to request a CVE identifier for a bug in Chicken Scheme which allows a malicious user to cause shell command execution through injection of a pipe symbol and possibly other shell meta characters. This bug is present in all versions of CHICKEN. It will be fixed in 4.8.3 and 4.8.2 as per commit 58684f69572453acc6fed7326fa9df39be98760e. Version 4.9.0 will likely be the first stable release to include this fix, unless it is decided to backport this fix to the stability release. The full announcement is here: http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not
According to upstream, this will be fixed in Chicken 4.9.0
Patch available at [1]. [1] http://lists.nongnu.org/archive/html/chicken-hackers/2013-04/msg00060.html
+*chicken-4.8.0.3-r1 (08 Jul 2013) + + 08 Jul 2013; Michael Weber <xmw@gentoo.org> +chicken-4.8.0.3-r1.ebuild, + +files/chicken-4.8.0.3-CVE-2013-1874.patch, + +files/chicken-4.8.0.3-CVE-2013-2024.patch, + +files/chicken-4.8.0.3-CVE-2013-2075_1.patch, + +files/chicken-4.8.0.3-CVE-2013-2075_2.patch: + Revbump to include security patches (bugs 462458, 469392, 467966) +
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Created attachment 408582 [details] ebuild for latest version CHICKEN This issue has been fixed in CHICKEN 4.10.0. See attached ebuild.
This bug is in glsa status, bug #552202 should be used for Chicken.
(In reply to erik falor from comment #5) > Created attachment 408582 [details] > ebuild for latest version CHICKEN > > This issue has been fixed in CHICKEN 4.10.0. See attached ebuild. 1. RDEPEND="emacs? ( virtual/emacs app-emacs/scheme-complete )" While this 'works', by convention deps are listed one per line; RDEPEND="emacs? ( virtual/emacs app-emacs/scheme-complete )" 2. if use "parallel-build" Use of conditional patching often receives negative critique. Unless the patch breaks the normal build, just patch it. With eclass eutils you can utilise var PATCHES, prior to src_prepare. It reduces from 4 lines to one. 3. You can also reduce lines defaults.make rules.make \ || die "sed failed" to defaults.make rules.make || die I wonder if the 10 Makefiles of the 2nd statement can be reduced Makefile.* Also the final two statements both edit the one file, defaults.make sed "s,\$(PREFIX)/lib,\$(PREFIX)/$(get_libdir)," -i defaults.make || die "sed failed" sed "s,\$(DATADIR)/doc,\$(SHAREDIR)/doc/${P}," -i defaults.make || die "sed failed" It's more common form is to use '- e' (1 tab space) sed -e "s first statement" \ (2 tab spaces) -e "s second statement" (2 tab spaces) -i defaults.make Functionally equivalent, on line longer; purely style. Listing so many Makefiles over 2 sed statements invites use of a patch instead. All 4 statements address use of vars used by portage. A patch is cleaner and removes all sytax style issues. The content I haven't runtested yet. I shall await an updated attachment. Also such a tiny file doesn't require or warrant compression.
In response to concern over Bug 552202 commit 2ba4fbcaa5f7a7983ab7d4fd3d13eb53c8d45d7a Author: Ian Delaney <idella4@gentoo.org> Date: Mon Sep 14 00:23:34 2015 +0800 dev-scheme/chicken: bump to 4.10.0 ebuild and patch submitted by maintainer in sec bug #467966 No reply from maintainer at this point. Note: Points of style in previous Comment not changed, they still 'work'. I have removed some entries of "|| die" terminating helper funcs which would trigger qa violations. There may be others. These points can be done later.
Created attachment 412012 [details] style updated CHICKEN 4.10.0 ebuild I have applied Ian's style suggestions to the ebuild. I'm not confident enough in the whole parallel-build thing to force it upon all users by default. Insofar as it hasn't been merged in over 5 years, it seems that upstream doesn't trust it that well themselves. I will favor Gentoo best practices and simplicity instead.
(In reply to erik falor from comment #9) > Created attachment 412012 [details] > > I'm not confident enough in the whole parallel-build thing to force it upon > all users by default. Insofar as it hasn't been merged in over 5 years, it > seems that upstream doesn't trust it that well themselves. I will favor > Gentoo best practices and simplicity instead. You're sure you wish to drop the use parallel-build and the patch? In my local copy I've edited around line 27 to sed "s,A\(\s?=\|)\),chicken&," \ -i Makefile.cross-linux-mingw defaults.make rules.make || die sed "s,ARCH,zARCH," \ -i Makefile.* defaults.make rules.make || die The line was very long, the above is a convention used in writing sed statements. It has the benefit of reducing long lines > 80 chars which is a length recommended in ebuilds. Sometimes exceeding that can't be avoided. In your adjusted ebuild you left in, re re-introduced, instances of "|| die" to helper functions. e.g. LINKER_OPTIONS="${LDFLAGS}" install || die belongs tpo emake from the previous line, & dodoc NEWS || die. Await reply to this before moving.
(In reply to Ian Delaney from comment #10) > You're sure you wish to drop the use parallel-build and the patch? Yes, I'm sure of it. > In my local copy I've edited around line 27 to > > sed "s,A\(\s?=\|)\),chicken&," \ > -i Makefile.cross-linux-mingw defaults.make rules.make || die > sed "s,ARCH,zARCH," \ > -i Makefile.* defaults.make rules.make || die I think that this is fine. I've applied it to the attached ebuild. > In your adjusted ebuild you left in, re re-introduced, instances of "|| die" > to helper functions. e.g. LINKER_OPTIONS="${LDFLAGS}" install || die belongs > tpo emake from the previous line, & dodoc NEWS || die. After more carefully reading https://devmanual.gentoo.org/ebuild-writing/error-handling/index.html I now understand what you mean. See the latest attachment.
Created attachment 412458 [details] Further refined style per Ian Delaney
(In reply to erik falor from comment #12) > Created attachment 412458 [details] > Further refined style per Ian Delaney Some minor changes to accommodate doing a revbump which is now warranted considering the withdrawal of the use flag and the patch. The doc site is not "${D}"/usr/share/doc/${P} but rather "${D}"usr/share/doc/${PF} so making a revbump, the docs are split between image/usr/share/doc/chicken-4.10.0 and image/usr/share/doc/chicken-4.10.0-r1 1. The ebuild now has docs to have README.bz2, NEWS.bz2. So you need set the var DOCS to capture them, either globally or with local in src_install(). 2. The LICENSE is better removed early on in src_prepare than src_install. 3. The auto install of the docs is nasty. Similarly, rather than remove them after they're installed, we remove them in src_prepare, so simply shift it to src_prepare, however the folder in ${S} is called manual-html. So edit rm -rf "${D}"usr/share/doc/${P}/manual to remove manual-html from ${S} 4. The install of the docs is then done within src_install with is use doc; then Use the helper func 'dodoc -r' which is the replacement to the defunct dohtml. These are simple edits. Install of docs and DOCS are fundamental steps and warrant these improvements. If removal of the pre-built docs under manual-html triggers error because they are hard coded and expected to be present, either leave as is or feel free to join the new channel in irc for further support. (See the project page of proxy-maintainers in the wiki)
Created attachment 414678 [details] Refined per Ian's recommendations Applied Ian's suggestions, tested with and without USE=doc.
Tested (In reply to erik falor from comment #14) > Created attachment 414678 [details] > Refined per Ian's recommendations > > Applied Ian's suggestions, tested with and without USE=doc. Tested the attached ebuild. No issues during build or merge. No errors reported. Just a small side note, if you could name your attachments with the name of the ebuild it would make testing it a lot easier. eg "chicken-4.10.0-r1.ebuild" or something like that.
DOCS should be an array and not a string as per https://github.com/gentoo/gentoo/blob/master/eclass/base.eclass#L27
it still has: -e "s,\$(DATADIR)/doc,\$(SHAREDIR)/doc/${P}," \ remember: The doc site is not "${D}"/usr/share/doc/${P} but rather "${D}"usr/share/doc/${PF} so making a revbump, the docs are split between image/usr/share/doc/chicken-4.10.0 and image/usr/share/doc/chicken-4.10.0-r1 also a bash array is now preferred over " "; so DOCS=( NEWS README LICENSE ) timeout 3-5 days or I'll do the changes this end.
Created attachment 414732 [details] Further refinements DOCS is now an array. sed now edits defaults.make to put the docs under ${PF} instead of ${P}
commit 08db0a2d383e2e8e62259ef2ae6d42b0b3c30d09 Author: Ian Delaney <idella4@gentoo.org> Date: Sat Oct 17 08:46:28 2015 +0800 dev-scheme/chicken: revbump drop use of parallel-build and the -parallel-build.patch by request of proxy maintainer via the gentoo bug, also many stylistic and qa improvements to the code of the ebuild Gentoo bug: #467966 Do you wish to have the chicken-4.10.0.ebuild and the corresponding patch dropped?
Yes, let's drop the patch and the 4.10.0 ebuild. I would go even further and suggest the 4.8.0.3 ebuild be dropped due to the open security concerns that are fixed in later releases. So doing will finally allow us to close this and a handful of other chicken bugs.
commit a6495dbc02107746a4759d7ce81c706261f6e3a6 Author: Ian Delaney <idella4@gentoo.org> Date: Sat Oct 17 15:40:08 2015 +0800 dev-scheme/chicken: clean affected version -4.10.0, patch Gentoo Security bug: #467966 Arch teams please make stable =dev-scheme/chicken-4.10.0-r1: Target arches: alpha amd64 ppc ppc64 x86
Stable on alpha.
amd64 stable
x86 stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit f8dfa3a9d8e9f2db504883fd9b62cf9732b3c9ed Author: Ian Delaney <idella4@gentoo.org> Date: Sun Nov 15 09:01:26 2015 +0800 dev-scheme/chicken: cleanup; rm vn. 4.10.0-r1 wrt the gentoo bug Gentoo bug: #467966
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
Still pending GLSA.
This issue was resolved and addressed in GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54 by GLSA coordinator Thomas Deutschmann (whissi).