chicken security update for Wheezy LTS

To: Debian LTS <debian-lts@lists.debian.org>
Cc: "Davide Puricelli (evo)" <evo@debian.org>
Subject: chicken security update for Wheezy LTS
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 28 Sep 2016 13:56:41 +0200
Message-id: <[🔎] a101b7d8-a87c-f370-72f9-c0a13c17af1c@balintreczey.hu>
Reply-to: balint@balintreczey.hu

Hi,

I have prepared an update for chicken in Wheezy.

Please see the diff to previous version:
https://people.debian.org/~rbalint/ppa/wheezy-lts/chicken_4.7.0-1+deb7u1.patch.gz

Changes:
 chicken (4.7.0-1+deb7u1) wheezy-security; urgency=medium
 .
   * LTS Team upload
   * Don't overflow statically allocated arrays in process-execute
     (CVE-2016-6830)
   * Stop leaking memory in process-execute when the process arguments
     or environmen variables are not strings (CVE-2016-6831)

If no one objects I will upload the fix on 30 Sept.

The first vulnerability can be easily triggered using the following
command:

$ echo '(use posix) (use srfi-1) (process-execute "/bin/echo" (map ->string (iota 8500)))' | csi

Cheers,
Balint

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: chicken security update for Wheezy LTS
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Re: Libavcodec being blacklisted with Firefox
Next by Date: Re: chicken security update for Wheezy LTS
Previous by thread: Re: Libavcodec being blacklisted with Firefox
Next by thread: Re: chicken security update for Wheezy LTS
Index(es):
- Date
- Thread