[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-announce] [SECURITY] Potential OS command execution during egg
felix . winkelmann
[Chicken-announce] [SECURITY] Potential OS command execution during egg install
Fri, 11 Nov 2022 11:18:24 +0100
Vasilij found a security issue with the way egg-information
files are created during installation of an extension package.
Currently, escape characters in the .egg file may be used to
perform arbitrary OS command injection due to the method the
egg metadata is created and installed in the local egg repository
during the install-stage of an egg.
The issue is fixed in commit a08f8f548d772ef410c672ba33a27108d8d434f3
and has been assigned the CVE identifier CVE-2022-45145, see here
for the patch:
All CHICKEN versions from 5.0.0 and later are vulnerable.
Many thanks to Vasilij for reporting the issue and suggesting the
necessary changes to mitigate the problem.
Since all egg-downloads go through our centralized egg-locations file
in SVN, it is highly recommended to verify *.egg files for possible
shell escape characters before including their access information there.
Future Salmonella runs should point out problematic eggs but it may
be prudent to not rely on this, as Salmonella runs and additions
to the egg-locations file are not synchronized.
|[Prev in Thread]
||[Next in Thread]|
- [Chicken-announce] [SECURITY] Potential OS command execution during egg install,
felix . winkelmann <=