On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote:
> >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe,
> >> but our chez-irregex and chicken packages are still vulnerable.
> >
> > Also note that (I believe) our chicken package is vulnerable to
> > CVE-2016-{6830,6831}:
> >
> > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html
> 
> The attached patch is currently being tested on my computer, but I
> suspect it will work.
> 
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834845.
> 

> From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Thu, 22 Dec 2016 14:16:55 -0500
> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}.
> 
> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Use it.
> * gnu/packages/scheme.scm (chicken)[source]: Use it.

Thank you for looking into this!

Something like this patch is in CHICKEN 4.11.1:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea

And there is a patch for the IrRegex bug after the latest tag:

https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a

Can you try updating CHICKEN and applying that IrRegex patch?