Bug 1004226 - (CVE-2016-8606) VUL-1: CVE-2016-8606: guile: REPL server vulnerable to HTTP inter-protocol attacks
(CVE-2016-8606)
VUL-1: CVE-2016-8606: guile: REPL server vulnerable to HTTP inter-protocol at...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/173479/
CVSSv2:SUSE:CVE-2016-8606:3.2:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-12 09:25 UTC by Johannes Segitz
Modified: 2016-10-26 20:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-12 09:25:34 UTC
CVE-2016-8606

From: Ludovic Courtès
GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes.  The REPL server is started by the
‘--listen’ command-line option or equivalent API.

Christopher Allan Webber reported that the REPL server is vulnerable to
the HTTP inter-protocol attack as described at
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
HTML form protocol attack described at
<https://www.jochentopf.com/hfpa/hfpa.pdf>.

This constitutes a remote code execution vulnerability for developers
running a REPL server that listens on a loopback device or private
network.  Applications that do not run a REPL server, as is usually the
case, are unaffected.

Developers can work around this vulnerability by binding the REPL server
to a Unix-domain socket, for instance by running:

  guile --listen=/some/file

A modification to the REPL server that detects attempts to exploit this
vulnerability is available upstream and will be part of Guile 2.0.13, to
be released shortly.

Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8606
http://seclists.org/oss-sec/2016/q4/102
Comment 1 Swamp Workflow Management 2016-10-12 22:00:38 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-10-17 12:50:43 UTC
Submit request against devel project created: 435742.
Comment 3 Petr Gajdos 2016-10-17 12:57:49 UTC
Just 13.2/guile affected.
Comment 4 Bernhard Wiedemann 2016-10-17 14:01:05 UTC
This is an autogenerated message for OBS integration:
This bug (1004226) was mentioned in
https://build.opensuse.org/request/show/435737 13.2 / guile
Comment 5 Petr Gajdos 2016-10-18 09:13:00 UTC
I believe all fixed.
Comment 6 Andreas Stieger 2016-10-26 09:13:41 UTC
release for 13.2, closing
Comment 7 Swamp Workflow Management 2016-10-26 12:20:30 UTC
openSUSE-SU-2016:2645-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1004221,1004226
CVE References: CVE-2016-8605,CVE-2016-8606
Sources used:
openSUSE 13.2 (src):    guile-2.0.11-3.3.1