[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [SECURITY] Untrusted startup file inclusion

From: Peter Bex
Subject: [Chicken-announce] [SECURITY] Untrusted startup file inclusion
Date: Tue, 19 Mar 2013 17:51:48 +0100
User-agent: Mutt/

Hello Chicken users,

A problem was detected in the way the Chicken Scheme Interpreter (csi)
reads its startup files.  Normally it will read ~/.csirc, but when a
file named .csirc is found in the current working directory, it will
be loaded instead, regardless of who placed the file there.

This allows a local attacker to cause arbitrary code to be executed when
csi is started from a directory which the attacker has write access to.

There are a few workarounds:

- You can compile often-used scripts as it is only the interpreter which
   loads these files.
- Your scripts can be modified to invoke csi safely, with the -n switch
   (which causes csi to skip loading the startup file).  The "csi" binary
   can also be replaced by an alias or shell script which invokes the
   original csi with -n, always.
- Avoid executing csi or Chicken scripts from directories to which others
   have write access.

You can also update to master c6750af99ada7fa4815ee834e4e705bcfac9c137 or
later, or apply the patch from the following mail:

This fix will make it into Chicken, which will hopefully be released
shortly, pending a few other issues.

Kind regards,
The Chicken Team

reply via email to

[Prev in Thread] Current Thread [Next in Thread]