Re: A small backlog of vulnerabilities in Chicken Scheme

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for the delay, it's been a crazy couple of weeks.

On 02/02/2013 06:59 AM, Peter Bex wrote:
> Hello all,
>
> Recently a handful of security bugs have been found and fixed in
> the Chicken Scheme compiler (http://www.call-cc.org).  We (the core
> team) have decided we'd like to start using CVE identifiers for the
> benefit of our users and distributions.
>
> I'd like to request CVEs for the currently known security bugs:
>
> * POSIX select() buffer overrun, fixed on in Chicken 4.8.2
> (development snapshot) by switching to POSIX poll() on platforms
> where supported. This is also fixed in 4.8.0.1 (stability
> release).
>
> Original announcement, with workaround (followed by preliminary
> patch): 
> http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html
Final patch:
> http://lists.nongnu.org/archive/html/chicken-hackers/2012-11/msg00075.html

Can
>
you list the versions released that included the broken and
correct patch? thanks.

> * Poisoned NUL byte injection due to incomplete protection by
> missing checks in some procedures, fixed in Chicken 4.8.0: 
> http://lists.nongnu.org/archive/html/chicken-users/2012-09/msg00004.html
>
>  * Broken randomization procedure on 64-bit platforms (it returned
> a constant value).  This function wasn't used for security
> purposes (and is advertised as being unsuitable), so I'm unsure a
> CVE is needed: 
> http://lists.nongnu.org/archive/html/chicken-hackers/2012-02/msg00084.html
Fixed in 4.8.0.

no problem here, will assign once other Q's are answered.

> * Vulnerability to algorithmic complexity attacks due to hash
> table collisions.  Fixed in 4.8.0. First public confirmation of the
> issue, with preliminary (broken) patch: 
> http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00002.html
Proper fix:
> http://lists.nongnu.org/archive/html/chicken-hackers/2012-01/msg00020.html

Can
>
you list the versions released that included the broken and
correct patch? thanks.

> Please let me know if more info is required or if this is even the 
> proper way to request CVEs.
>
> I'd also like to know if it's possible to get CVE numbers assigned 
> *before* issuing a security advisory, but without immediate full 
> disclosure, so an initial advisory can be complete with CVE
> number.

Yup see the HOWTO. Initially I'll require full info up front to make
sure CVE split/merge is done correct, but this wouldn't go past me,
and if you can't trust me, well, then you go to Mitre I guess =).
Longer term depends on the quality of CVE requests, basically if you
learn to do them right and do them consistently right I'll require
less info/trust you.

> The CVE can be updated afterwards with the link to the advisory
> when it is issued.  This should make it easier for users to find
> information about the bug.  This list's Openwall wiki seems to
> imply that it's only possible to request a CVE for an issue given
> all the information immediately, but a recent message from Kurt
> Seifried in a thread about Jenkins says that it can be done.  If
> it's indeed okay to e-mail Kurt directly, it would be helpful to
> include this in the documentation wiki.
>
> Finally, how do CVE entries in MITRE and/or the NVD get updated? I
> couldn't find anything about this in the FAQ.  For example, if we 
> find and fix a noncritical vulnerability but the fix is rather 
> complicated and needs to be thoroughly tested, the fix might
> appear in a release after CVE and advisory are issued.  How will
> this be reflected in the information once the version in which the
> fix appears is finally known?
>
> Cheers, Peter Bex (on behalf of the Chicken core team)


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRExF2AAoJEBYNRVNeJnmT45cQANPD4gylbfQa5YOX6aMK3fW2
uOC/fveK74HIyE1Yl8R/wUwOUjIl8otDbR4EQHDr/j7lW1tCKeom+307qsbZGL70
7mVijwNP7rlpBXAweCc4D0EIt+ViulDupxhi0XelpYyE5RKMUEUXl7RkXvpsgq+T
AirCqOYWJyA+teN31GeOgscVU52yLswYr8fu7+xuqqwcRayeSVSHSrKSim9ZsLG3
5bUZKdn0qgJ8D6VJlO9AD+DHV+y8pEI4mFGTuh7/RKXlFd0lLnO2bfoIDjmxdKbX
taMaAn+SvrS8W3OnV1WKE/nHLuS77XlpeTssKJgw+ADTnALnwL7BnotL5JFbkaQm
vrQdQqLzOfew1gyDUkugsY8KwXlbbqw45VVB0wYeJDpn5a232/Vv+78F7pzpAeZ7
ZXSpL18V7dp0sJAf9UirKJGxYQLPJIJEyWM7uWlpxjvYyrzzSY1BunLXMRZSk3jp
pkhj8YcwZ80BXV4eSiRSKC0wSga/apjgJVXF4Xtb/63VVJrF/x2RHUuUE1SW93S2
83KShfHTw9vscRfgL13nnd3vYjchlyPH09mLu17WF5DIu/73X4qjnxao6gizWvCZ
t4fehWfNDSFuZ5gTJH2bkpXHZdiEqwGf3oyPQ6xsYNOzqack62o0/IlXTi0DqdUa
HLgqbnum5Ukx1fnJcXgn
=2hwi
-----END PGP SIGNATURE-----