[Chicken-users] [SECURITY] Inconsistent NUL byte handling

[Peter Bex]

Hello Chicken users,

Recently a vulnerability was found in some of Chicken's string processing
code.  As you know, NUL bytes are representable by Scheme strings, but
not by C strings (where they are treated as terminators).  This mismatch
is properly handled by the FFI by throwing an exception when it finds
embedded NUL bytes.

Most of Chicken's internal code either uses the FFI or the underlying
procedure that performs this check.  However, in a few places this didn't
happen.  Notably the standard R5RS file procedures do not check for
embedded NUL bytes.  The list of affected procedures is as follows:

- From unit "posix":
    * process
    * process-execute
    * process-run
    * get-environment-variable (via C_get_environment_variable)
- From unit "library":
    * system (via C_execute_shell_command)
    * ##sys#message (via C_message)
    * string->number (via C_a_i_string_to_number)
    * ##sys#open-file-port (via C_open_file_port) and its clients:
       - open-input-file
       - open-output-file
       - call-with-input-file and its clients:
           - include
           - load
           - read-file (from "extras")
           - read-all (from "utils")
       - with-input-from-file
       - call-with-output-file and its clients:
           - create-temporary-file (from "files")
       - with-output-to-file

If you are using any of these procedures or the underlying C procedures,
you might be vulnerable to a "poisoned NUL byte attack".  The fix is to
either check manually in your program for embedded NUL bytes or apply
git revision d9f2ad87b42f.  This patch is also available in 4.8.0rc3
(but not rc2!) and will make it into the final 4.8.0 release.

Finally, ##sys#halt is affected too, but only under Windows in GUI mode.
This is currently unpatched.  ##sys#halt will halt the process,
displaying a message, so abuse of this procedure is extremely unlikely
(it can result in truncated error messages).  After the release, we will
try to come up with a more complete approach to fixing these problems.

Kind regards,
The Chicken Team

References
----------
http://www.phrack.org/issues.html?issue=55&id=7#article
http://www.ouah.org/nullbyte.html