Date: Thu, 7 Feb 2013 09:49:10 +0100 From: Peter Bex <Peter.Bex@...all.nl> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Re: A small backlog of vulnerabilities in Chicken Scheme On Wed, Feb 06, 2013 at 07:29:10PM -0700, Kurt Seifried wrote: > Sorry for the delay, it's been a crazy couple of weeks. No problem. Thanks for all your efforts! > On 02/02/2013 06:59 AM, Peter Bex wrote: > > I'd like to request CVEs for the currently known security bugs: > > > > * POSIX select() buffer overrun, fixed on in Chicken 4.8.2 > > (development snapshot) by switching to POSIX poll() on platforms > > where supported. This is also fixed in 22.214.171.124 (stability > > release). > > Can you list the versions released that included the broken and > correct patch? thanks. The preliminary patch was correct but not portable (so not broken in the sense of being vulnerable). Because of portability problems it was never committed. I decided to include the link to the other patch for completeness, and for reference (useful for people reading the CVE and studying the bug's history). Sorry if this caused some confusion. The correct patch was committed and ended up in stable release 126.96.36.199 and development snapshot 4.8.2. Effectively this means that 4.8.0 and earlier is vulnerable, plus the development snapshot 4.8.1 (but *not* 188.8.131.52 - the fix was pulled up into our stability branch). Maybe it helps if I explain our current versioning scheme. Our stable releases end in a zero (ex: 4.7.0, 4.8.0). We periodically release stability patchlevel upgrades, which end up as minor version suffixes. This means that 4.8.0 is stable, followed by 184.108.40.206, 220.127.116.11 etc. While working on the next major release (which will be 4.9.0), snapshots are built which will have minor versions like 4.8.1, 4.8.2 etc. The 4.8.0.n versions contain only bugfixes that went into 4.8.x snapshots which were deemed important enough to pull up into the minor stable release cycle. > > * Vulnerability to algorithmic complexity attacks due to hash > > table collisions. Fixed in 4.8.0. First public confirmation of the > > issue, with preliminary (broken) patch: > > http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html > > > Proper fix: > > http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html > > Can you list the versions released that included the broken and > correct patch? thanks. No versions contained the preliminary patch, it was made available for testing only. I also included this one for reference. I'll try make this clearer the next time. The correct patch ended up in snapshot 4.7.4 and, thus, in stable release 4.8.0; This means that anything before 4.7.4 is vulnerable. > > Finally, how do CVE entries in MITRE and/or the NVD get updated? I > > couldn't find anything about this in the FAQ. I would still appreciate an answer to this question. Cheers, Peter -- http://sjamaan.ath.cx
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.