Hello CHICKEN users,

A problem was found with the read-u8vector! procedure from the srfi-4
unit, which is almost identical to CVE-2013-4385 (which related to
the read-string! procedure, see 
https://lists.nongnu.org/archive/html/chicken-announce/2013-09/msg00000.html
for details).

If read-u8vector! is called with #f as the "NUM" argument, it didn't
bound the read to the u8vector's size, resulting in a buffer overrun
which may lead to general corruption of the stack or heap, and can
potentially be used to execute arbitrary code.

This has been fixed with changeset 1d06ce7e21c7e903ca5dca11fda6fcf2cc52de5e
http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=1d06ce7e21c7e903ca5dca11fda6fcf2cc52de5e

All currently released CHICKENs are vulnerable to this bug: this includes
stable versions up until 4.8.0.6, and all 4.8.x development snapshots.
CHICKEN 4.9.0 and a possible 4.8.0.7 will include the fix, as will all
development snapshots starting with 4.9.1.

Like CVE-2013-4385, only code that uses the destructive read-u8vector!
variant with #f as a length argument is vulnerable.  A similar workaround
helps in this case: Convert all (read-u8vector! #f buf ...) calls to
(read-u8vector! (u8vector-length buf) buf ...), or, if possible, use the
safe, non-destructive read-u8vector version from the srfi-4 unit.

A quick scan of the egg repository indicates that only two eggs use
read-u8vector! in a potentially unsafe way.  The (currently unreleased)
r7rs egg's read-bytevector! procedure maps to read-u8vector!, so any
program using that with #f as the length argument is susceptible to this
vulnerability.  The srfi-27 egg's entropy-source-u8vector procedure also
indirectly exposes the read-u8vector! vulnerability, but it is
undocumented that a LENGTH of #f is allowed.

This means that applications should be safe if they don't call
read-u8vector! directly with a #f size and use only documented
functionality of released eggs.

Kind regards,
The CHICKEN team

_______________________________________________
Chicken-users mailing list
Chicken-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/chicken-users

Reply via email to