SB2016122907 - Buffer overflow in chicken (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Buffer overflow (CVE-ID: CVE-2016-6830)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The "process-execute" and "process-spawn" procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call. This would allow user-supplied argument/environment variable lists to trigger a buffer overrun. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released).

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=03620cc2fb3f89f4a42758755775e92c0815524e
• https://git.alpinelinux.org/aports/commit/?id=2b37087c38da0bca5f8f8e7b6595be427e426f6b
• https://git.alpinelinux.org/aports/commit/?id=fdccff09e3ed4ded732b2d22d5d571642ad268bc