Hello! Vasilij found a security issue with the way egg-information files are created during installation of an extension package. Currently, escape characters in the .egg file may be used to perform arbitrary OS command injection due to the method the egg metadata is created and installed in the local egg repository during the install-stage of an egg.
The issue is fixed in commit a08f8f548d772ef410c672ba33a27108d8d434f3 and has been assigned the CVE identifier CVE-2022-45145, see here for the patch: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=a08f8f548d772ef410c672ba33a27108d8d434f3;hp=9c6fb001c25de4390f46ffd7c3c94237f4df92a9 All CHICKEN versions from 5.0.0 and later are vulnerable. Many thanks to Vasilij for reporting the issue and suggesting the necessary changes to mitigate the problem. Since all egg-downloads go through our centralized egg-locations file in SVN, it is highly recommended to verify *.egg files for possible shell escape characters before including their access information there. Future Salmonella runs should point out problematic eggs but it may be prudent to not rely on this, as Salmonella runs and additions to the egg-locations file are not synchronized. felix