[Chicken-users] [SECURITY] Vulnerability to algorithmic complexity attack due to incorrect randomization of symbol table

[Peter Bex]

Hi all,

It was discovered that our fix for CVE-2012-6125 was incorrect
for the internal Scheme symbol table.

The code that sets up the initial symbol table is run _before_
initializing the PRNG, which means the randomization factor uses
the initial libc seed state.  On most libc implementations this
means the symbol table randomization factor is a constant value
which does not differ between runs.

This allows an attacker who is able to create arbitrary symbols
to defeat the hash table's average complexity to the worst case
behaviour of a linear search by ensuring these symbols all hash
to the same hash bucket.

This has been fixed in both the master and chicken-5 branches.
A patch is available here:
http://lists.gnu.org/archive/html/chicken-hackers/2017-06/txtod8Pa1wGU0.txt
There's no good workaround.  One option would be to use LD_PRELOAD
with a small library that calls srand() on startup.

This issue affects all released versions of CHICKEN.

Regards,
The CHICKEN Team

signature.asc
Description: PGP signature