Re: A small backlog of vulnerabilities in Chicken Scheme

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2013 07:29 PM, Kurt Seifried wrote:
> Sorry for the delay, it's been a crazy couple of weeks.
>
> On 02/02/2013 06:59 AM, Peter Bex wrote:
> > Hello all,
>
> > Recently a handful of security bugs have been found and fixed in 
> > the Chicken Scheme compiler (http://www.call-cc.org).  We (the
> > core team) have decided we'd like to start using CVE identifiers
> > for the benefit of our users and distributions.
>
> > I'd like to request CVEs for the currently known security bugs:
>
> > * POSIX select() buffer overrun, fixed on in Chicken 4.8.2 
> > (development snapshot) by switching to POSIX poll() on platforms 
> > where supported. This is also fixed in 4.8.0.1 (stability 
> > release).
>
> > Original announcement, with workaround (followed by preliminary 
> > patch): 
> > http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html
>
> >
>
> Final patch:
> > http://lists.nongnu.org/archive/html/chicken-hackers/2012-11/msg00075.html
>
> >
> Can
>
> you list the versions released that included the broken and correct
> patch? thanks.

Please use CVE-2012-6122 for this issue.

> > * Poisoned NUL byte injection due to incomplete protection by 
> > missing checks in some procedures, fixed in Chicken 4.8.0: 
> > http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html

Please
> >
use CVE-2012-6123 for this issue.

> > * Broken randomization procedure on 64-bit platforms (it
> > returned a constant value).  This function wasn't used for
> > security purposes (and is advertised as being unsuitable), so I'm
> > unsure a CVE is needed: 
> > http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
>
> >
> Fixed in 4.8.0.
>
> no problem here, will assign once other Q's are answered.

Please use CVE-2012-6124 for this issue.


> > * Vulnerability to algorithmic complexity attacks due to hash 
> > table collisions.  Fixed in 4.8.0. First public confirmation of
> > the issue, with preliminary (broken) patch: 
> > http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
>
> >
>
>
> Proper fix:
> > http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
>
> >
> Can
>
> you list the versions released that included the broken and correct
> patch? thanks.

Please use CVE-2012-6125 for this issue.

> > Please let me know if more info is required or if this is even
> > the proper way to request CVEs.
>
> > I'd also like to know if it's possible to get CVE numbers
> > assigned *before* issuing a security advisory, but without
> > immediate full disclosure, so an initial advisory can be complete
> > with CVE number.
>
> Yup see the HOWTO. Initially I'll require full info up front to
> make sure CVE split/merge is done correct, but this wouldn't go
> past me, and if you can't trust me, well, then you go to Mitre I
> guess =). Longer term depends on the quality of CVE requests,
> basically if you learn to do them right and do them consistently
> right I'll require less info/trust you.
>
> > The CVE can be updated afterwards with the link to the advisory 
> > when it is issued.  This should make it easier for users to find 
> > information about the bug.  This list's Openwall wiki seems to 
> > imply that it's only possible to request a CVE for an issue
> > given all the information immediately, but a recent message from
> > Kurt Seifried in a thread about Jenkins says that it can be done.
> > If it's indeed okay to e-mail Kurt directly, it would be helpful
> > to include this in the documentation wiki.
>
> > Finally, how do CVE entries in MITRE and/or the NVD get updated?
> > I couldn't find anything about this in the FAQ.  For example, if
> > we find and fix a noncritical vulnerability but the fix is rather
> >  complicated and needs to be thoroughly tested, the fix might 
> > appear in a release after CVE and advisory are issued.  How will 
> > this be reflected in the information once the version in which
> > the fix appears is finally known?

email cve-assign () mitre org for all these things. I just assign CVE's,
Mitre handles the entries/write ups/database/etc.

> > Cheers, Peter Bex (on behalf of the Chicken core team)

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRFJhJAAoJEBYNRVNeJnmT7igQAJQrz3PJFRZd5BjHN3ys9rHa
jJfH1KZw7509azbG1O4/JvsXbgXM/5LgysQa70Z68azfhQXjNAruMxdnYq6fdWPN
rc8Tkv6ECskdLPuRrnsoJp6Qf4W3iocmnXFLqbmxq/VvG4yqFvQpCXriVDEeplLH
VddOO9WOq07ruFnfvom1i2HYTRtYq1LnJPUCslyU8hM+L5PeFL1jZYhvtT1eZcAh
7x+XChglIZCFg0X92Si3egPwUZc3Hbe/oXijn+wiILkVgIpGbCU7MPIJ3CS9OLUm
Snmj99i8Tm+3S47NBh13OJEmERJ7Lwd9SP5mAcQX9YCVYy6Oggne9YuuCSbLH4pi
iy7DQB4+zAv8v1Lj4b8UikStshH94bM0soqn+Pc/LJOfG0hUnkVT/xetgKuYLN0S
yLBiGHyIrC+RJcazl1sXetL3FtpXtgLei3BIdhNhr13IZ6xfEQQ9S5pc9RDs0cRu
U8ZlVdeVUVql0s0uw59p498qyDmd8sXWt9Yk0PYQulgS6TQ8aHo3mop1JnbSpYzY
RGg7GGVYeQHyTDw77Wo3R3m4bpmF2JC8iQDwnKNjPSo2NEWxsY1zT8Ugk3HQJRC2
q04wuonBbIZXtJb5WWm1UJcLD5O3xVlR5ic7LEkVX6JXewliTuNLqqV4sSYMVYXT
E7Zu5gMQIKL6niPdWF6s
=KCO9
-----END PGP SIGNATURE-----