Bugzilla – Bug 1004226
VUL-1: CVE-2016-8606: guile: REPL server vulnerable to HTTP inter-protocol attacks
Last modified: 2016-10-26 20:25:33 UTC
CVE-2016-8606 From: Ludovic Courtès GNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the ‘--listen’ command-line option or equivalent API. Christopher Allan Webber reported that the REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the HTML form protocol attack described at <https://www.jochentopf.com/hfpa/hfpa.pdf>. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. Developers can work around this vulnerability by binding the REPL server to a Unix-domain socket, for instance by running: guile --listen=/some/file A modification to the REPL server that detects attempts to exploit this vulnerability is available upstream and will be part of Guile 2.0.13, to be released shortly. Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8606 http://seclists.org/oss-sec/2016/q4/102
bugbot adjusting priority
Submit request against devel project created: 435742.
Just 13.2/guile affected.
This is an autogenerated message for OBS integration: This bug (1004226) was mentioned in https://build.opensuse.org/request/show/435737 13.2 / guile
I believe all fixed.
release for 13.2, closing
openSUSE-SU-2016:2645-1: An update that fixes two vulnerabilities is now available. Category: security (low) Bug References: 1004221,1004226 CVE References: CVE-2016-8605,CVE-2016-8606 Sources used: openSUSE 13.2 (src): guile-2.0.11-3.3.1