Date: Wed, 10 Sep 2014 12:47:25 +0200 From: Moritz Heidkamp <moritz.heidkamp@...uta.com> To: oss-security@...ts.openwall.com Subject: CVE request for select() buffer overrun in CHICKEN Scheme on the Android platform Hello, I would like to request a CVE for a select() buffer overrun vulnerability in CHICKEN Scheme on the Android platform. This is basically the same issue as CVE-2012-6122 , thus the same workaround applies: Set the maximum number of open files ulimit to a value lower than or equal to FD_SETSIZE. Alternatively, apply the patch that fixes the issue (see below). Since the Android platform target was added fairly recently, the only affected release versions are 4.9.0 and 220.127.116.11. The issue is fixed by switching to POSIX poll() on Android, too. This fix will be included in the upcoming release versions 18.104.22.168, 4.9.1, 4.10.0, and 5.0. For the official announcement, see http://lists.nongnu.org/archive/html/chicken-users/2014-08/msg00055.html The patch on the discussion list is http://lists.nongnu.org/archive/html/chicken-hackers/2014-08/msg00017.html and it got applied as http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=bbf5c1d5839970c17b37406155180853c325c710 A patch which changes the default to be POSIX poll() so that platforms added in the future will be more likely not to be affected by this issue is being discussed at http://lists.nongnu.org/archive/html/chicken-hackers/2014-08/msg00019.html Regards Moritz  Original announcement: http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ