Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Jan 2015 17:44:37 +0100
From: Moritz Heidkamp <>
To: oss-security <>
Subject: CVE request for buffer overrun in CHICKEN Scheme's substring-index[-ci] procedures


I would like to request a CVE for a buffer overrun vulnerability in
CHICKEN Scheme's substring-index[-ci] procedures. This overrun is only
triggered when an integer greater than zero is passed as the optional
START argument. As a work-around users are advised to switch to the
equivalent string-contains procedure from SRFI 13 which is also shipped

All releases of CHICKEN up until are affected.

The issue is fixed by the patch at This
fix will be included in the upcoming release versions, 4.9.1,
4.10.0, and 5.0.

The patch on the discussion list is
and it got applied as;a=commit;h=25db851b902606741b1a520bd7e4a3fbd12c9b2a

For the official announcement, see

bevuta IT GmbH - professional IT solutions
Marktstrasse 10 | | HRB 62476 AG Cologne
D-50968 Cologne | Tel.: +49 221 282678-0 | CEO: Pablo Beyen

Download attachment "signature.asc" of type "application/pgp-signature" (473 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.