Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2016 15:56:11 +0200
From: ludo@....org (Ludovic Courtès)
To: oss-security@...ts.openwall.com
Cc: Christopher Allan Webber <cwebber@...tycloud.org>, Andy Wingo <wingo@...ox.com>, Mark H Weaver <mhw@...ris.org>
Subject: CVE request: GNU Guile <= 2.0.12: REPL server
 vulnerable to HTTP inter-protocol attacks

GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes.  The REPL server is started by the
‘--listen’ command-line option or equivalent API.

Christopher Allan Webber reported that the REPL server is vulnerable to
the HTTP inter-protocol attack as described at
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
HTML form protocol attack described at
<https://www.jochentopf.com/hfpa/hfpa.pdf>.

This constitutes a remote code execution vulnerability for developers
running a REPL server that listens on a loopback device or private
network.  Applications that do not run a REPL server, as is usually the
case, are unaffected.

Developers can work around this vulnerability by binding the REPL server
to a Unix-domain socket, for instance by running:

  guile --listen=/some/file

A modification to the REPL server that detects attempts to exploit this
vulnerability is available upstream and will be part of Guile 2.0.13, to
be released shortly.

Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ