oss-sec mailing list archives
CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures
From: Moritz Heidkamp <moritz.heidkamp () bevuta com>
Date: Mon, 12 Jan 2015 17:44:37 +0100
Hello, I would like to request a CVE for a buffer overrun vulnerability in CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only triggered when an integer greater than zero is passed as the optional START argument. As a work-around users are advised to switch to the equivalent string-contains procedure from SRFI 13 which is also shipped with CHICKEN. All releases of CHICKEN up until 4.9.0.1 are affected. The issue is fixed by the patch at http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt. This fix will be included in the upcoming release versions 4.9.0.2, 4.9.1, 4.10.0, and 5.0. The patch on the discussion list is http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/msg00000.html and it got applied as http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=25db851b902606741b1a520bd7e4a3fbd12c9b2a and http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=63d0445ed379a43343cfcea7032a284cf7deca2b For the official announcement, see http://lists.nongnu.org/archive/html/chicken-users/2015-01/msg00048.html Regards Moritz -- bevuta IT GmbH - professional IT solutions Marktstrasse 10 | http://www.bevuta.com/ | HRB 62476 AG Cologne D-50968 Cologne | Tel.: +49 221 282678-0 | CEO: Pablo Beyen
Attachment:
signature.asc
Description:
Current thread:
- CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures Moritz Heidkamp (Jan 12)
- Re: CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures Peter Bex (Jan 28)
- Re: CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures Moritz Muehlenhoff (Jan 28)
- Re: CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures Peter Bex (Jan 28)