Leo Famulari writes: > On Thu, Dec 22, 2016 at 02:20:37PM -0500, Kei Kebreau wrote: >> Leo Famulari writes: >> >> > On Fri, Dec 16, 2016 at 02:33:19PM -0500, Leo Famulari wrote: >> >> We fixed this bug in our guile-irregex package in commit fb73f07a0fe, >> >> but our chez-irregex and chicken packages are still vulnerable. >> > >> > Also note that (I believe) our chicken package is vulnerable to >> > CVE-2016-{6830,6831}: >> > >> > http://lists.nongnu.org/archive/html/chicken-announce/2016-08/msg00002.html >> >> The attached patch is currently being tested on my computer, but I >> suspect it will work. >> >> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834845. >> > >> From 3423ef38ecab794f9601aa8ac63c6974d9db62d4 Mon Sep 17 00:00:00 2001 >> From: Kei Kebreau >> Date: Thu, 22 Dec 2016 14:16:55 -0500 >> Subject: [PATCH] gnu: chicken: Fix CVE-2016-{6830,6831}. >> >> * gnu/packages/patches/chicken-CVE-2016-6830+CVE-2016-6831.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Use it. >> * gnu/packages/scheme.scm (chicken)[source]: Use it. > > Thank you for looking into this! > > Something like this patch is in CHICKEN 4.11.1: > > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=0d20426c6da0f116606574dadadaa878b96a68ea > > And there is a patch for the IrRegex bug after the latest tag: > > https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=2c419f18138c17767754b36d3b706cd71a55350a > > Can you try updating CHICKEN and applying that IrRegex patch? I can try, but updating to CHICKEN 4.11.1 requires a recent CHICKEN binary due to its build system requirements. Do we have any objection to bootstrapping CHICKEN 4.11.1 from version 4.11.0?