Out-Of-Bounds access vulnerability

[simon-scannell-sonarsource]

At SonarSource, we are equally driven by studying and understanding real-world vulnerabilities and by helping the open-source community secure their projects. For this reason, we are contacting you regarding a vulnerability in Squirrel Script we found when collaborating with an external researcher, Niklas Breitfeld.

We have detected and verified an Out-Of-Bounds access in Squirrel that we would like to responsibly disclose to help protect users. Please find attached our detailed advisory with the vulnerable code lines, steps to reproduce the issue, and our suggestions regarding its remediation. We will be happy to participate in the patch review process. Unfortunately, an email with vulnerability details bounced. Could you let us know an appropriate email to send vulnerability details to?

GitHub now offers a Security Advisories feature, where we will be able to privately discuss this report, review the patches and automatically assign a CVE identifier during the publication step. If you choose this option, please invite our GitHub accounts @simon-scannell-sonarsource and @brymko to the draft.

[pdh11]

If there is to be a Squirrel responsible-disclosure group, may I @pdh11 be added? Here at Electric Imp (now part of Twilio) we have real customers using the Squirrel interpreter in IoT devices and in the cloud, and potential sandbox escapes are obviously of some concern to us. (We've upstreamed fixes for a few previous issues ourselves.) Even information about this one vulnerability would be useful to us, and obviously we'd keep it embargoed as per the Squirrel project's wishes.

[albertodemichelis]

You can contact me with the details at "alberto AT squirrel-lang DOT org".

[simon-scannell-sonarsource]

Hi,

I have disclosed the details to @albertodemichelis email stated above. We are happy to share the details with you @pdh11, given @albertodemichelis consent.

Thank you!