Hello!
Vasilij found a security issue with the way egg-information
files are created during installation of an extension package.
Currently, escape characters in the .egg file may be used to
perform arbitrary OS command injection due to the method the
egg metadata is created and installed in the local egg repository
during the install-stage of an egg.
The issue is fixed in commit a08f8f548d772ef410c672ba33a27108d8d434f3
and has been assigned the CVE identifier CVE-2022-45145, see here
for the patch:
https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=a08f8f548d772ef410c672ba33a27108d8d434f3;hp=9c6fb001c25de4390f46ffd7c3c94237f4df92a9
All CHICKEN versions from 5.0.0 and later are vulnerable.
Many thanks to Vasilij for reporting the issue and suggesting the
necessary changes to mitigate the problem.
Since all egg-downloads go through our centralized egg-locations file
in SVN, it is highly recommended to verify *.egg files for possible
shell escape characters before including their access information there.
Future Salmonella runs should point out problematic eggs but it may
be prudent to not rely on this, as Salmonella runs and additions
to the egg-locations file are not synchronized.
felix
