Vulnerability Description
The "process-execute" and "process-spawn" procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call. This would allow user-supplied argument/environment variable lists to trigger a buffer overrun. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Call-Cc | Chicken | <= 4.11.0 |
Related Weaknesses (CWE)
References
- http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.htmlPatchVendor Advisory
- http://www.securityfocus.com/bid/92550Third Party AdvisoryVDB Entry
- http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00001.htmlPatchVendor Advisory
- http://www.securityfocus.com/bid/92550Third Party AdvisoryVDB Entry
FAQ
What is CVE-2016-6830?
CVE-2016-6830 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The "process-execute" and "process-spawn" procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call. This would allow user-su...
How severe is CVE-2016-6830?
CVE-2016-6830 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-6830?
Check the references section above for vendor advisories and patch information. Affected products include: Call-Cc Chicken.