[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-announce] Errata for [Chicken-users] [SECURITY] Untrusted start
[Chicken-announce] Errata for [Chicken-users] [SECURITY] Untrusted startup file inclusion
Tue, 19 Mar 2013 19:38:49 +0100
On Tue, Mar 19, 2013 at 05:51:48PM +0100, Peter Bex wrote:
> This allows a local attacker to cause arbitrary code to be executed when
> csi is started from a directory which the attacker has write access to.
Correction: This *only* happens when "csi" is directly executed from this
directory. Scripts are generally invoked with -s, which suppresses
loading of the startup file. -e also suppresses the startup file, so
quickly evaluating an expression will not be a problem either.
> There are a few workarounds:
> - You can compile often-used scripts as it is only the interpreter which
> loads these files.
> - Your scripts can be modified to invoke csi safely, with the -n switch
> (which causes csi to skip loading the startup file). The "csi" binary
> can also be replaced by an alias or shell script which invokes the
> original csi with -n, always.
The above measures are unneccessary. You only have to verify that
scripts are executed using csi -s.
> - Avoid executing csi or Chicken scripts from directories to which others
> have write access.
This is still recommended.
> This fix will make it into Chicken 220.127.116.11, which will hopefully be released
> shortly, pending a few other issues.
This is *not* the case. In the interest of stability, the stability
branch will not include this fix. Chicken 4.9.0 will be the first
stable version to include it.
Finally, we would like to thank Florian Zumbiehl for finding and fixing
the .csirc problem.
The Chicken Team