From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Nala Ginrut Newsgroups: gmane.lisp.guile.user,gmane.lisp.guile.devel Subject: Re: Guile security vulnerability w/ listening on localhost + port (with fix) Date: Wed, 12 Oct 2016 23:49:39 +0800 Organization: HFG Message-ID: <1476287379.10369.22.camel@gmail.com> References: <87k2dfc7dd.fsf@dustycloud.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Trace: blaine.gmane.org 1476287454 17561 195.159.176.226 (12 Oct 2016 15:50:54 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Wed, 12 Oct 2016 15:50:54 +0000 (UTC) To: Christopher Allan Webber , guile-devel@gnu.org, guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Wed Oct 12 17:50:49 2016 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1buLnf-0002E8-6O for guile-user@m.gmane.org; Wed, 12 Oct 2016 17:50:35 +0200 Original-Received: from localhost ([::1]:34311 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLng-0000c8-8m for guile-user@m.gmane.org; Wed, 12 Oct 2016 11:50:36 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:58822) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLmz-0000Yb-Is for guile-user@gnu.org; Wed, 12 Oct 2016 11:49:54 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1buLmx-0004b5-Js for guile-user@gnu.org; Wed, 12 Oct 2016 11:49:52 -0400 Original-Received: from mail-pf0-x22f.google.com ([2607:f8b0:400e:c00::22f]:34714) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1buLmr-0004YU-SY; Wed, 12 Oct 2016 11:49:46 -0400 Original-Received: by mail-pf0-x22f.google.com with SMTP id 190so20654005pfv.1; Wed, 12 Oct 2016 08:49:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:date:in-reply-to:references:organization :mime-version:content-transfer-encoding; bh=sQOW6huyuP5LQvkwiZcdhtVqNj9C1grrYZiiaMeQ52w=; b=ATIgUriOFMMoPfu+NBcCtSJaujUaQlci7LPwptHi4cFBwDLsjgMS5o2OaEhjUD4phC yjl4933eTRY7PJfzoa1hgNrql6fPMaZdAVY+wo4mXfh1vGJ+aHfG71qqtbQUXP5ZZc1Z myuL0FJwm54rChwLvzw8lMpmiBPwO12Bbvcv8Sgo+lmKn26d8ySuRwV3MXTRXscwvUHY wWEpPBhIvX0z5zLLOZP3Y/M9stBXXpzW6KY3Wd3wl79cxpiw1hb+u9PHNKaNXpK908S3 kDPLX5OhkmJTiiqLrc5GN4f820BaIZ7xjnCcSQcjlLXM2tzQm7BTVJJyxwVlYbng7TEJ uWEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:organization:mime-version:content-transfer-encoding; bh=sQOW6huyuP5LQvkwiZcdhtVqNj9C1grrYZiiaMeQ52w=; b=GbY/Fb0GjQZhug9BaD1yQKfXMBjX0vgo5OM40MbIXU2ilFmpplEVnTuTUHql/1MlNB IVD4b11IfhgWe5ExZWhXIR5mSwihinBkGZFuyhC3zZV1Bw//XWJVhfKIyTB5k3d0BnPb c+e56vNleroF1GWUGn0tcnEQkHADhT9Q1IpaHWo3mv+vXM+GksrErot26EH/CYuXI6kY Y/EH8oP7cMoV8pjJ/Ip3XDvBnEsPa5MELemt3opQnNzgwrirOlbMcQSaQBBCIf/0PREu 154AOncoyGbGaCl+38CLcnVj5fz5SYKrlDZVQyCHmvj4uYFxa7ViKtE2aR/+VSw8Si9D xbPg== X-Gm-Message-State: AA6/9RlVkVLXp0E2IL9iDioIKzA3D0dGjwivAZIuUvCVcmV9oH2kjLv0yL7mHOYp0Du4mw== X-Received: by 10.99.147.11 with SMTP id b11mr2342722pge.22.1476287383131; Wed, 12 Oct 2016 08:49:43 -0700 (PDT) Original-Received: from localhost (www.nalaginrut.com. [74.207.246.185]) by smtp.gmail.com with ESMTPSA id yk6sm12705150pab.43.2016.10.12.08.49.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 12 Oct 2016 08:49:42 -0700 (PDT) In-Reply-To: <87k2dfc7dd.fsf@dustycloud.org> X-Mailer: Evolution 3.20.5-1 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2607:f8b0:400e:c00::22f X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:12941 gmane.lisp.guile.devel:18717 Archived-At: On Tue, 2016-10-11 at 09:01 -0500, Christopher Allan Webber wrote: > The Guile team has just pushed out a new commit on the Guile stable-2.0 > branch addressing a security issue for Guile.  There will be a release > shortly as well.  The commit is > 08c021916dbd3a235a9f9cc33df4c418c0724e03, or for web viewing purposes: > >   http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916 > dbd3a235a9f9cc33df4c418c0724e03 > > Due to the nature of this bug, Guile applications themselves in general > aren't vulnerable, but Guile developers are.  Arbitrary scheme code may > be used to attack your system in this scenario. > > There is also a lesson here that applies beyond Guile: the presumption > that "localhost" is only accessible by local users can't be guaranteed > by modern operating system environments.  If you are looking to provide > local-execution-only, we recommend using unix domain sockets or named > pipes.  Don't rely on localhost plus some port. > Indeed, I've considered to do so in Artanis too. But maybe we should provide both just like what php-fpm does? And let users choose which one to use, localhost:port or unix socket.