From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Jun 20 19:14:54 2015 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2E2BD38 for ; Sat, 20 Jun 2015 19:14:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CB511683 for ; Sat, 20 Jun 2015 19:14:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t5KJEsXR003189 for ; Sat, 20 Jun 2015 19:14:54 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 200980] lang/chicken: CVE-2015-4556: out-of-bounds read in CHICKEN Scheme's string-translate* procedure Date: Sat, 20 Jun 2015 19:14:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: vmagerya@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Jun 2015 19:14:55 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200980 --- Comment #1 from Vitaly Magerya --- Created attachment 157898 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=157898&action=edit chicken-4.10.0rc1.diff Unfortunately it is not as trivial as applying that patch to a previous release: one of the files that patch touches must be translated into C during the build, which requires an installed version of chicken. Normally release tarballs include the generated C file, but if the patch is applied that generated file becomes obsolete, and the build process can not continue. The solution is to use one of the release tarballs. Since chicken 4.10 is not yet released, we could use 4.10.0rc1 for the time being. It's better than nothing. Here's a patch for that, complete with a vuln.xml update. -- You are receiving this mail because: You are the assignee for the bug.