FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

chicken -- buffer overrun in substring-index[-ci]

Affected packages
chicken < 4.10.0.r1,1

Details

VuXML ID e7b7f2b5-177a-11e5-ad33-f8d111029e6a
Discovery 2015-01-12
Entry 2015-06-22
Modified 2015-06-23

chicken developer Moritz Heidkamp reports:

The substring-index[-ci] procedures of the data-structures unit are vulnerable to a buffer overrun attack when passed an integer greater than zero as the optional START argument.

As a work-around you can switch to SRFI 13's string-contains procedure which also returns the substring's index in case it is found.

References

CVE Name CVE-2014-9651
Message http://lists.gnu.org/archive/html/chicken-users/2015-01/msg00048.html
Message http://lists.nongnu.org/archive/html/chicken-hackers/2014-12/txt2UqAS9CtvH.txt