From ${URL} : I would like to request a CVE for a buffer overrun vulnerability in CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only triggered when an integer greater than zero is passed as the optional START argument. As a work-around users are advised to switch to the equivalent string-contains procedure from SRFI 13 which is also shipped with CHICKEN. All releases of CHICKEN up until 4.9.0.1 are affected. The issue is fixed by the patch at http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt. This fix will be included in the upcoming release versions 4.9.0.2, 4.9.1, 4.10.0, and 5.0. The patch on the discussion list is http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/msg00000.html and it got applied as http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=25db851b902606741b1a520bd7e4a3fbd12c9b2a and http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=63d0445ed379a43343cfcea7032a284cf7deca2b For the official announcement, see http://lists.nongnu.org/archive/html/chicken-users/2015-01/msg00048.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I'm sorry for the long delay on this. I'm preparing an ebuild for the latest CHICKEN release, 4.10.0 which addresses this, and all open dev-scheme/chicken issues.
I have submitted an updated ebuild for the latest version of CHICKEN to bug #467966
This issue was resolved and addressed in GLSA 201612-54 at https://security.gentoo.org/glsa/201612-54 by GLSA coordinator Thomas Deutschmann (whissi).