SB2019103119 - Multiple vulnerabilities in call-cc Chicken Scheme
Published: October 31, 2019 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2012-6123)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Chicken before 4.8.0 does not properly handle NUL bytes in certain strings, which allows an attacker to conduct "poisoned NUL byte attack."
2) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2012-6124)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."
3) Input validation error (CVE-ID: CVE-2012-6125)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2013/02/08/2
- https://access.redhat.com/security/cve/cve-2012-6123
- https://security-tracker.debian.org/tracker/CVE-2012-6123
- https://access.redhat.com/security/cve/cve-2012-6124
- https://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
- https://security-tracker.debian.org/tracker/CVE-2012-6124
- https://access.redhat.com/security/cve/cve-2012-6125
- https://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
- https://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html
- https://security-tracker.debian.org/tracker/CVE-2012-6125