Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612910 (CVE-2017-6949) - <dev-scheme/chicken-4.13.0-r1: Unchecked size argument in malloc() in CHICKEN Scheme (CVE-2017-6949)
Summary: <dev-scheme/chicken-4.13.0-r1: Unchecked size argument in malloc() in CHICKEN...
Status: RESOLVED FIXED
Alias: CVE-2017-6949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-9334 CVE-2017-11343
Blocks:
  Show dependency tree
 
Reported: 2017-03-17 14:15 UTC by Agostino Sarubbo
Modified: 2018-06-11 15:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-17 14:15:03 UTC
From ${URL} :

An issue was discovered in CHICKEN Scheme through. When using a nonstandard CHICKEN-specific extension to allocate an SRFI-4 vector in unmanaged memory, the vector size would be used in unsanitised form 
as an argument to malloc(). With an unexpected size, the impact may have been a segfault or buffer overflow.

References:

http://seclists.org/oss-sec/2017/q1/627
http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 13:40:38 UTC
CVE-2017-6949 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6949):
  An issue was discovered in CHICKEN Scheme through 4.12.0. When using a
  nonstandard CHICKEN-specific extension to allocate an SRFI-4 vector in
  unmanaged memory, the vector size would be used in unsanitised form as an
  argument to malloc(). With an unexpected size, the impact may have been a
  segfault or buffer overflow.
Comment 2 Maxim Koltsov (RETIRED) gentoo-dev 2018-03-15 20:42:09 UTC
I've added chicken-4.13, which fixed all CVEs:

https://code.call-cc.org/releases/4.13.0/NEWS
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:08:27 UTC
tree is clean.

GLSA Vote: No