[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] [Chicken-announce] [SECURITY] Incomplete fix for CVE
From: |
Peter Bex |
Subject: |
Re: [Chicken-users] [Chicken-announce] [SECURITY] Incomplete fix for CVE-2012-6122 (select() fs_set buffer overrun) |
Date: |
Sat, 11 May 2013 12:53:01 +0200 |
User-agent: |
Mutt/1.4.2.3i |
On Wed, May 08, 2013 at 08:18:21PM +0200, Peter Bex wrote:
> Recently, we fixed a problem related to the use of POSIX select(),
> which was assigned CVE-2012-6122.
> See http://lists.nongnu.org/archive/html/chicken-users/2012-06/msg00031.html
> for more details on the original bug.
>
> We fixed the scheduler, but there remained other places in CHICKEN where
> select() was still in use:
>
[...]
>
> These have now also been rewritten in terms of POSIX poll(), where
> available. This is on all supported platforms except Windows.
This remaining problem has been assigned CVE-2013-2075.
Thanks to Joerg Wittenberger and Florian Zumbiehl for identifying
this problem.
Kind regards,
The CHICKEN Team