Re: chicken security update for Wheezy LTS

To: Debian LTS <debian-lts@lists.debian.org>
Cc: "Davide Puricelli (evo)" <evo@debian.org>
Subject: Re: chicken security update for Wheezy LTS
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 28 Sep 2016 13:58:48 +0200
Message-id: <[🔎] CAK0OdpzvAL3ngEcmS+WiPAf8yqVDYa4PkrKY2j3uF_oj9QYc0g@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] a101b7d8-a87c-f370-72f9-c0a13c17af1c@balintreczey.hu>
References: <[🔎] a101b7d8-a87c-f370-72f9-c0a13c17af1c@balintreczey.hu>

2016-09-28 13:56 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi,
>
> I have prepared an update for chicken in Wheezy.
>
> Please see the diff to previous version:
> https://people.debian.org/~rbalint/ppa/wheezy-lts/chicken_4.7.0-1+deb7u1.patch.gz
>
> Changes:
>  chicken (4.7.0-1+deb7u1) wheezy-security; urgency=medium
>  .
>    * LTS Team upload
>    * Don't overflow statically allocated arrays in process-execute
>      (CVE-2016-6830)
>    * Stop leaking memory in process-execute when the process arguments
>      or environmen variables are not strings (CVE-2016-6831)
>
> If no one objects I will upload the fix on 30 Sept.
>
> The first vulnerability can be easily triggered using the following
> command:
>
> $ echo '(use posix) (use srfi-1) (process-execute "/bin/echo" (map ->string (iota 8500)))' | csi

The binary packages for amd64 are also available for testing here:

deb https://people.debian.org/~rbalint/ppa/wheezy-lts UNRELEASED/

Cheers,
Balint

Reply to:

References:
- chicken security update for Wheezy LTS
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: chicken security update for Wheezy LTS
Next by Date: Re: Wheezy update of firefox-esr?
Previous by thread: chicken security update for Wheezy LTS
Next by thread: September Report
Index(es):
- Date
- Thread