2016-09-28 13:56 GMT+02:00 Bálint Réczey <[email protected]>: > Hi, > > I have prepared an update for chicken in Wheezy. > > Please see the diff to previous version: > https://people.debian.org/~rbalint/ppa/wheezy-lts/chicken_4.7.0-1+deb7u1.patch.gz > > Changes: > chicken (4.7.0-1+deb7u1) wheezy-security; urgency=medium > . > * LTS Team upload > * Don't overflow statically allocated arrays in process-execute > (CVE-2016-6830) > * Stop leaking memory in process-execute when the process arguments > or environmen variables are not strings (CVE-2016-6831) > > If no one objects I will upload the fix on 30 Sept. > > The first vulnerability can be easily triggered using the following > command: > > $ echo '(use posix) (use srfi-1) (process-execute "/bin/echo" (map ->string > (iota 8500)))' | csi
The binary packages for amd64 are also available for testing here: deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/ Cheers, Balint
