Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2016 15:56:11 +0200
From: ludo@....org (Ludovic Courtès)
To: oss-security@...ts.openwall.com
Cc: Christopher Allan Webber <cwebber@...tycloud.org>, Andy Wingo <wingo@...ox.com>, Mark H Weaver <mhw@...ris.org>
Subject: CVE request: GNU Guile <= 2.0.12: REPL server
 vulnerable to HTTP inter-protocol attacks

GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes.  The REPL server is started by the
‘--listen’ command-line option or equivalent API.

Christopher Allan Webber reported that the REPL server is vulnerable to
the HTTP inter-protocol attack as described at
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
HTML form protocol attack described at
<https://www.jochentopf.com/hfpa/hfpa.pdf>.

This constitutes a remote code execution vulnerability for developers
running a REPL server that listens on a loopback device or private
network.  Applications that do not run a REPL server, as is usually the
case, are unaffected.

Developers can work around this vulnerability by binding the REPL server
to a Unix-domain socket, for instance by running:

  guile --listen=/some/file

A modification to the REPL server that detects attempts to exploit this
vulnerability is available upstream and will be part of Guile 2.0.13, to
be released shortly.

Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.