Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20161012041104.D4A0552E014@smtpvbsrv1.mitre.org>
Date: Wed, 12 Oct 2016 00:11:04 -0400 (EDT)
From: cve-assign@...re.org
To: ludo@....org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, cwebber@...tycloud.org, wingo@...ox.com, mhw@...ris.org
Subject: Re: CVE request: GNU Guile <= 2.0.12: REPL server vulnerable to HTTP inter-protocol attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> GNU Guile, an implementation of the Scheme language, provides a "REPL
> server" which is a command prompt that developers can connect to for
> live coding and debugging purposes. The REPL server is started by the
> '--listen' command-line option or equivalent API.
> 
> Christopher Allan Webber reported that the REPL server is vulnerable to
> the HTTP inter-protocol attack as described at
> <https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
> HTML form protocol attack described at
> <https://www.jochentopf.com/hfpa/hfpa.pdf>.
> 
> This constitutes a remote code execution vulnerability for developers
> running a REPL server that listens on a loopback device or private
> network. Applications that do not run a REPL server, as is usually the
> case, are unaffected.
> 
> Developers can work around this vulnerability by binding the REPL server
> to a Unix-domain socket, for instance by running:
> 
>   guile --listen=/some/file
> 
> A modification to the REPL server that detects attempts to exploit this
> vulnerability is available upstream and will be part of Guile 2.0.13, to
> be released shortly.
> 
> Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

>> +;;; Here we add a procedure to 'before-read-hook' that looks for a possible
>> +;;; HTTP request-line in the first line of input from the client socket. If
>> +;;; present, the socket is drained and closed

Use CVE-2016-8606.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX/bZEAAoJEHb/MwWLVhi2ENkQAIyMUaLq9mwR5hvyeoP+4GF0
p5rA477BYUM3KhnHqk7kNmuGb4OjP/mCc+6POvYqwyJOCt3vsYnBfp77dL0VgKgV
Zoabg0kfNFXJFvhWeIE3qwAnI9zMVV/H2S63C9c3KuHsxy8a/6/q5PpznwhcjG+L
AqWlHvSYhNmTtanR8nyRwcchEavatZh8eTXP9ITpFRZ+xuu6XoHwhmlmKE9srIBq
Fun81jQGTN+dPCYcrviqJjW4258328oua0he4gCxKsM/JRLCWxTNtwgmh0EH8hro
uJyb76LNk9RgA64po2qrr3Q2LUN2lpSILci8V9mQhWMvLBtyxSKzrgq0FKuJoxjr
oFauy+LbwXUD0pHjfy9SiOjxEpwP5/jt9tpVoaMdRVjigJ86sm8zOx5d4BmgyPuA
98uYtuCvB+AHblQJh5i9M3rln56rkgopDjR2suKJVSN0t3kHxEPDe1rdgDOGXrxz
5kG/g/a5E92omW9J+4e+GiTj+NMSocrHKPOZGUHSlZl68EL8Fe4wqRHA+I9081dq
XDmtF1mzHQ3tSY+jxhVckFb1IKvReR7JeCKKpsdkQDMIG7BfJsbQoB6IQEsASRtD
PbXFvubj7LHEuTikLQc3qWXSAgzLpioyNVDxcxANdf0mirKXchysbpuv1uviC7Oa
zHs39ZEyvoopDQP8s6ef
=YKYq
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.