security icon indicating copy to clipboard operation
security copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Roundup: [oss-security] CVE request for unchecked size argument in malloc() in CHICKEN Scheme

Open grahamc opened this issue 7 years ago • 0 comments

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

  • [ ] Update Graham's database

Info

Triage Indicator:

-needs-triage +roundup27 thread:00000000000041d5
  • File Search: https://search.nix.gsc.io/?q=chicken&i=fosho&repos=nixos-nixpkgs
  • GitHub Search: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=chicken+in%3Apath&type=Code

Should the search term be changed from chicken? Suggest a new package search by commenting:

-suggested:chicken +suggested:correctPackageName thread:00000000000041d5

Known CVEs: CVE-2017-6949

Skip to End

Wed, 15 Mar 2017 23:47:49 +0100 Peter Bex <peter-at-more-magic.net>, [email protected]
Hello all,

I'd like to request a CVE for an unchecked malloc() argument in
CHICKEN Scheme's SRFI-4 vector constructors, when allocating the
vector in unmanaged memory.  Due to the missing range check, this
could result in negative or too small size allocations, which would
result in a crash or a buffer overrun, depending on the size.

This issue affects all current releases of CHICKEN Scheme, including
the latest release, 4.12.0.

The official announcement was made here:
http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html

Cheers,
Peter Bex
signature.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYycSVAAoJEBEdufnLRYmwdcYH/RSZnyoOEv8jjhdFi0hy5udT
zV2Sn08UbKdIbJDZeTFU5r22DJUo69KS23VO/uRG5RQuJXOU/S2TnEFWQFEHD879
C68MPpGhzDgB0I0UBZy/dCbl4PydZBDGfHa8KFeTM/EaMRjUuHTrXk5OBmMspB/U
Is7xqpr7c8WJBpxEG9l5fGWnEcNZHodemt9cAdGTuTjLGY+3J9zxe1Dhxt9tuJQy
bKpzK1Smysp90RyJ46GhItir+cf4Whc4YqBfSHJVucf5ZRvTPFjNuIdKYy9q7LlV
7xD+dXQDFiEC2bD9nDBF1/lA7J3+eQvqKBnn/ltIxpQw9jpI5e5n7WDcrfsu80c=
=U8I3
-----END PGP SIGNATURE-----

Skip to End

Wed, 15 Mar 2017 17:03:18 -0600 "Don A. Bailey" <donb-at-securitymouse.com>, [email protected]
I find this extremely amusing. 

https://www.securitymouse.com/lms-2014-06-23-7

D

> On Mar 15, 2017, at 4:47 PM, Peter Bex <[email protected]> wrote:
> 
> Hello all,
> 
> I'd like to request a CVE for an unchecked malloc() argument in
> CHICKEN Scheme's SRFI-4 vector constructors, when allocating the
> vector in unmanaged memory.  Due to the missing range check, this
> could result in negative or too small size allocations, which would
> result in a crash or a buffer overrun, depending on the size.
> 
> This issue affects all current releases of CHICKEN Scheme, including
> the latest release, 4.12.0.
> 
> The official announcement was made here:
> http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html
> 
> Cheers,
> Peter Bex

Skip to End

Thu, 16 Mar 2017 10:31:17 +0100 Adam Maris <amaris-at-redhat.com>, [email protected]
On Wed, 2017-03-15 at 23:47 +0100, Peter Bex wrote:
> Hello all,
> 
> I'd like to request a CVE for an unchecked malloc() argument in
> CHICKEN Scheme's SRFI-4 vector constructors, when allocating the
> vector in unmanaged memory.  Due to the missing range check, this
> could result in negative or too small size allocations, which would
> result in a crash or a buffer overrun, depending on the size.
> 
> This issue affects all current releases of CHICKEN Scheme, including
> the latest release, 4.12.0.
> 
> The official announcement was made here:
> http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.h
> tml
> 
> 

Hi Peter,

oss-security mailing is no longer a place for requesting CVEs. Please,
request CVE from MITRE via https://cveform.mitre.org/ or also possibly
from DWF project via http://iwantacve.org/

Thanks!

Best Regards,

-- 
Adam Mariš, Red Hat Product Security
1CCD 3446 0529 81E3 86AF  2D4C 4869 76E7 BEF0 6BC2 
signature.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCgAGBQJYyltmAAoJEEhpdue+8GvCBXUQAI/GL9wHkXUakfwPM7eLVDqO
MtwAQrZFxXNJCVIbL9jezCrmkO39QBS2ctjSk3RAgXl0OcKkTOexqm7t5ucYYuY8
wcK8kTmnCnqIEjIQO61cjlukiA9gNxXoxmSiZ2VBLxqNhWqIS9f2WzpgTJ81oW3q
rK5ZKjeqsEB5FbPILloAyysBiNNkNoPNrVW5aJX2ktbgqHI06mzpLf7jHXTESR7Z
QRHoeOV/pCP2nGackjfg6PGnFnz6wHm72FuB3mUjmltZ0/VOblq14qlHShyWhfOA
kIksTvXtcUU9ZPcu/cJdEHWH224bnRIEe3eJCP4Fj/1JBdK2CO1iW7KwMv8X6MBT
dKM4RMJByBaHf/7k7xvhgKJrOr60FTco4Jx59DmSkfT7KdrcqKDrJnecqdSZ/C6r
kKul1WTpFdXAm0lLiXazvxaybWb/7+d1CjvtGJQ4WYdFzO0Eai0UEUrizdESe4t4
e1PVx7V/Z+ENCV/mTeEy7GsBcKgRrMgM4AucS5GFyCuRJB4zjLH0tixQHjySpMdY
IRMqh+zKlW7prhz7nphkCuL4ZaWmDDQmDnNc3ilBfYjK4IItqt+H+YuxFwD4Tn85
dmeN47/VgevJ5vnv0eijKOu9waRGbgsqOd9ZnoJHOq7qPgGwZjVb6U/OwUqKRm6P
40Z5Q3R4uiSW8n823ehA
=JZ7H
-----END PGP SIGNATURE-----

Skip to End

Thu, 16 Mar 2017 11:08:21 +0100 Peter Bex <peter-at-more-magic.net>, [email protected]
On Thu, Mar 16, 2017 at 10:31:17AM +0100, Adam Maris wrote:
> Hi Peter,
> 
> oss-security mailing is no longer a place for requesting CVEs. Please,
> request CVE from MITRE via https://cveform.mitre.org/ or also possibly
> from DWF project via http://iwantacve.org/

Oh yeah, I forgot about that.  I've filled out the form, and I hope I've
done this correctly.

Cheers,
Peter
signature.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYymQVAAoJEBEdufnLRYmwMwMH/3Y10qS8/SILb4BvlVe5TobR
pnudR6Ihn2JplriNChzuw5rYg7IgEX++eRd2SRe9JpiBDa6hUiSa7rcaIxwWVJhq
s/c8r17eSpgaoaQroIL36IKMLN9a9RDafZzVQbaWd2qWUaRezoTouBlUtowrl89s
jwYCIkgrY9e5rgKPesxaZMbzwclW5HE6bWhsUwaXO23na2Fq7uL9Pc4mVi8dmI6E
OTwWqll5c62n2Z/B3iICtoJnViPQ5RvgtcyWW/nZ87/zsNGClc014681hTvkyRHF
J04iQl1szzNkYvMkAvoAxOjotMKywij1ygH+ex5dNogcHGrF+pZjon3OVIR8lWM=
=TPo8
-----END PGP SIGNATURE-----

Skip to End

Thu, 16 Mar 2017 13:17:13 +0100 Peter Korsgaard <peter-at-korsgaard.com>, [email protected]
>>>>> "Peter" == Peter Bex <[email protected]> writes:

 > On Thu, Mar 16, 2017 at 10:31:17AM +0100, Adam Maris wrote:
 >> Hi Peter,
 >> 
 >> oss-security mailing is no longer a place for requesting CVEs. Please,
 >> request CVE from MITRE via https://cveform.mitre.org/ or also possibly
 >> from DWF project via http://iwantacve.org/

 > Oh yeah, I forgot about that.  I've filled out the form, and I hope I've
 > done this correctly.

Please don't forget to forward the form details to this list once a CVE
has been assigned. Thanks.

-- 
Bye, Peter Korsgaard

Skip to End

Thu, 16 Mar 2017 17:34:21 +0100 Peter Bex <peter-at-more-magic.net>, [email protected]
On Thu, Mar 16, 2017 at 01:17:13PM +0100, Peter Korsgaard wrote:
> >>>>> "Peter" == Peter Bex <[email protected]> writes:
> 
>  > On Thu, Mar 16, 2017 at 10:31:17AM +0100, Adam Maris wrote:
>  >> Hi Peter,
>  >> 
>  >> oss-security mailing is no longer a place for requesting CVEs. Please,
>  >> request CVE from MITRE via https://cveform.mitre.org/ or also possibly
>  >> from DWF project via http://iwantacve.org/
> 
>  > Oh yeah, I forgot about that.  I've filled out the form, and I hope I've
>  > done this correctly.
> 
> Please don't forget to forward the form details to this list once a CVE
> has been assigned. Thanks.

This was assigned CVE-2017-6949.  The form details were in my original
mail, but I'll include them here again, though I must say fiddling around
with e-mail to forward it is much much more inconvenient than how it used
to work:

> [Suggested description]
> An issue was discovered in CHICKEN Scheme through 4.12.0.
> When using a nonstandard CHICKEN-specific extension to allocate an
> SRFI-4 vector in unmanaged memory, the vector size would be used in
> unsanitised form as an argument to malloc(). With an unexpected size,
> the impact may have been a segfault or buffer overflow.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Affected: All versions up to and including 4.12.0.  No fixed versions released yet
> 
> ------------------------------------------
> 
> [Affected Component]
> All SRFI-4 vector constructor functions in CHICKEN Scheme
> 
> ------------------------------------------
> 
> [Attack Type]
> Context-dependent
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> When using a nonstandard CHICKEN-specific extension to allocate a
> SRFI-4 vector in unmanaged memory, the vector size would be used in
> unsanitised form as argument to malloc().
> 
> ------------------------------------------
> 
> [Reference]
> http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Lemonboy
signature.asc 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJYyr6NAAoJEBEdufnLRYmwBW4H/3j/hV2xR+8g6lmKF9iyixOV
KuJVi89in7J90oM4KxZMRf5sPnPuvtUhno06wylnF6aqZbN4cVw46NzITkaBrlKl
VUGxIsYr3mRcOlG+6WDVo/IdK8CQP8e9tSZ9mQBlivKiPJjZSyz4OWUeiHt09kIp
BnWDMrO/2QlunSzTMjYipI6mJl4nw/Rv3OaTvRMSgaoTWk0Uway8TmWgbm+FmPo2
j+94tJGPgotN9qDhAD9cX4pQz0BB3hJKUUwupEA54e8tg3k6YMGX/KHlrPkVfKKH
bGLeWsr7ha/5ttmsOvkFVBdFtES24nqI6e1GRCAuKWOwom9CxONjV+fLzlA6j1g=
=gRq8
-----END PGP SIGNATURE-----

Skip to End

Thu, 16 Mar 2017 22:15:11 +0100 Peter Korsgaard <peter-at-korsgaard.com>, [email protected]
>>>>> "Peter" == Peter Bex <[email protected]> writes:

 > On Thu, Mar 16, 2017 at 01:17:13PM +0100, Peter Korsgaard wrote:
 >> >>>>> "Peter" == Peter Bex <[email protected]> writes:
 >> 
 >> > On Thu, Mar 16, 2017 at 10:31:17AM +0100, Adam Maris wrote:
 >> >> Hi Peter,
 >> >> 
 >> >> oss-security mailing is no longer a place for requesting CVEs. Please,
 >> >> request CVE from MITRE via https://cveform.mitre.org/ or also possibly
 >> >> from DWF project via http://iwantacve.org/
 >> 
 >> > Oh yeah, I forgot about that.  I've filled out the form, and I hope I've
 >> > done this correctly.
 >> 
 >> Please don't forget to forward the form details to this list once a CVE
 >> has been assigned. Thanks.

 > This was assigned CVE-2017-6949.  The form details were in my original
 > mail, but I'll include them here again, though I must say fiddling around
 > with e-mail to forward it is much much more inconvenient than how it used
 > to work:

Thanks, and yes - I agree. The longer term plan is afaik that this
should happen automatically by the MITRE system.

-- 
Bye, Peter Korsgaard

Skip to End

grahamc avatar Mar 25 '17 14:03 grahamc