Date: Tue, 11 Oct 2016 15:56:11 +0200 From: ludo@....org (Ludovic Courtès) To: oss-security@...ts.openwall.com Cc: Christopher Allan Webber <cwebber@...tycloud.org>, Andy Wingo <wingo@...ox.com>, Mark H Weaver <mhw@...ris.org> Subject: CVE request: GNU Guile <= 2.0.12: REPL server vulnerable to HTTP inter-protocol attacks GNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the ‘--listen’ command-line option or equivalent API. Christopher Allan Webber reported that the REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the HTML form protocol attack described at <https://www.jochentopf.com/hfpa/hfpa.pdf>. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. Developers can work around this vulnerability by binding the REPL server to a Unix-domain socket, for instance by running: guile --listen=/some/file A modification to the REPL server that detects attempts to exploit this vulnerability is available upstream and will be part of Guile 2.0.13, to be released shortly. Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.