Hello Chicken users, A problem was detected in the way the Chicken Scheme Interpreter (csi) reads its startup files. Normally it will read ~/.csirc, but when a file named .csirc is found in the current working directory, it will be loaded instead, regardless of who placed the file there.
This allows a local attacker to cause arbitrary code to be executed when csi is started from a directory which the attacker has write access to. There are a few workarounds: - You can compile often-used scripts as it is only the interpreter which loads these files. - Your scripts can be modified to invoke csi safely, with the -n switch (which causes csi to skip loading the startup file). The "csi" binary can also be replaced by an alias or shell script which invokes the original csi with -n, always. - Avoid executing csi or Chicken scripts from directories to which others have write access. You can also update to master c6750af99ada7fa4815ee834e4e705bcfac9c137 or later, or apply the patch from the following mail: http://lists.nongnu.org/archive/html/chicken-hackers/2013-03/msg00074.html This fix will make it into Chicken 4.8.0.4, which will hopefully be released shortly, pending a few other issues. Kind regards, The Chicken Team _______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users