Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 510712 (CVE-2014-3776) - <dev-scheme/chicken-4.10.0: buffer overrun (CVE-2014-3776)
Summary: <dev-scheme/chicken-4.10.0: buffer overrun (CVE-2014-3776)
Status: RESOLVED FIXED
Alias: CVE-2014-3776
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2013-2024
Blocks:
  Show dependency tree
 
Reported: 2014-05-19 07:31 UTC by Agostino Sarubbo
Modified: 2016-12-31 15:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-19 07:31:22 UTC 
From ${URL} :

I would like to request a CVE for a buffer overrun bug in CHICKEN Scheme
which is very similar to CVE-2013-4385.  It affects a very particular,
not very common use of the read-u8vector! procedure.  If given a buffer
and #f (the Scheme value for "false") as the buffer's size (which should
trigger automatic size detection but doesn't), it will read beyond the
buffer, until the input port (file, socket, etc) is exhausted.  This may
result in the typical potential remote code execution or denial of
service; in CHICKEN, these buffers are initially allocated on the stack
and moved to the heap upon GC.

In normal usage, users would usually pass in the buffer's size.  This
is also the workaround for this bug.

For the official announcement, see
http://lists.gnu.org/archive/html/chicken-announce/2014-05/msg00001.html

The patch on the discussion list is
http://lists.gnu.org/archive/html/chicken-hackers/2014-05/msg00032.html
and it got applied as
http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=1d06ce7e21c7e903ca5dca11fda6fcf2cc52de5e

All versions of CHICKEN prior to 4.9.0 (soon to be released) and 4.8.0.7
(not yet(?) released) are affected.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 13:30:19 UTC 
CHICKEN 4.9.0 and a possible 4.8.0.7 will include the fix, as will all
development snapshots starting with 4.9.1.

http://lists.gnu.org/archive/html/chicken-announce/2014-05/msg00001.html
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 02:30:42 UTC 
CVE-2014-3776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3776):
  Buffer overflow in the "read-u8vector!" procedure in the srfi-4 unit in
  CHICKEN stable 4.8.0.7 and development snapshots before 4.9.1 allows remote
  attackers to cause a denial of service (memory corruption and application
  crash) and possibly execute arbitrary code via a "#f" value in the NUM
  argument.
Comment 3 erik falor 2015-08-05 03:47:42 UTC 
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
Comment 4 erik falor 2015-08-08 22:56:45 UTC 
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 15:24:30 UTC 
This issue was resolved and addressed in
 GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54
by GLSA coordinator Thomas Deutschmann (whissi).