oss-sec mailing list archives
CVE request: GNU Guile <= 2.0.12: REPL server vulnerable to HTTP inter-protocol attacks
From: ludo () gnu org (Ludovic Courtès)
Date: Tue, 11 Oct 2016 15:56:11 +0200
GNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the ‘--listen’ command-line option or equivalent API. Christopher Allan Webber reported that the REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the HTML form protocol attack described at <https://www.jochentopf.com/hfpa/hfpa.pdf>. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. Developers can work around this vulnerability by binding the REPL server to a Unix-domain socket, for instance by running: guile --listen=/some/file A modification to the REPL server that detects attempts to exploit this vulnerability is available upstream and will be part of Guile 2.0.13, to be released shortly. Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03
Current thread:
- CVE request: GNU Guile <= 2.0.12: REPL server vulnerable to HTTP inter-protocol attacks Ludovic Courtès (Oct 11)