[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-announce] [SECURITY] Untrusted startup file inclusion
|
From: |
Peter Bex |
|
Subject: |
[Chicken-announce] [SECURITY] Untrusted startup file inclusion |
|
Date: |
Tue, 19 Mar 2013 17:51:48 +0100 |
|
User-agent: |
Mutt/1.4.2.3i |
Hello Chicken users,
A problem was detected in the way the Chicken Scheme Interpreter (csi)
reads its startup files. Normally it will read ~/.csirc, but when a
file named .csirc is found in the current working directory, it will
be loaded instead, regardless of who placed the file there.
This allows a local attacker to cause arbitrary code to be executed when
csi is started from a directory which the attacker has write access to.
There are a few workarounds:
- You can compile often-used scripts as it is only the interpreter which
loads these files.
- Your scripts can be modified to invoke csi safely, with the -n switch
(which causes csi to skip loading the startup file). The "csi" binary
can also be replaced by an alias or shell script which invokes the
original csi with -n, always.
- Avoid executing csi or Chicken scripts from directories to which others
have write access.
You can also update to master c6750af99ada7fa4815ee834e4e705bcfac9c137 or
later, or apply the patch from the following mail:
http://lists.nongnu.org/archive/html/chicken-hackers/2013-03/msg00074.html
This fix will make it into Chicken 4.8.0.4, which will hopefully be released
shortly, pending a few other issues.
Kind regards,
The Chicken Team
- [Chicken-announce] [SECURITY] Untrusted startup file inclusion,
Peter Bex <=