[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [SECURITY] Potential OS command execution during egg

From: felix . winkelmann
Subject: [Chicken-announce] [SECURITY] Potential OS command execution during egg install
Date: Fri, 11 Nov 2022 11:18:24 +0100


Vasilij found a security issue with the way egg-information
files are created during installation of an extension package.
Currently, escape characters in the .egg file may be used to
perform arbitrary OS command injection due to the method the
egg metadata is created and installed in the local egg repository
during the install-stage of an egg.

The issue is fixed in commit a08f8f548d772ef410c672ba33a27108d8d434f3
and has been assigned the CVE identifier CVE-2022-45145, see here
for the patch:;a=commitdiff;h=a08f8f548d772ef410c672ba33a27108d8d434f3;hp=9c6fb001c25de4390f46ffd7c3c94237f4df92a9

All CHICKEN versions from 5.0.0 and later are vulnerable.

Many thanks to Vasilij for reporting the issue and suggesting the
necessary changes to mitigate the problem.

Since all egg-downloads go through our centralized egg-locations file
in SVN, it is highly recommended to verify *.egg files for possible
shell escape characters before including their access information there.

Future Salmonella runs should point out problematic eggs but it may
be prudent to not rely on this, as Salmonella runs and additions
to the egg-locations file are not synchronized.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]