Attachment #157947 for bug #200980




# $FreeBSD$

PORTNAME=	chicken
PORTVERSION=	4.10.0r1
PORTREVISION=	1
CATEGORIES=	lang scheme
MASTER_SITES=	http://code.call-cc.org/dev-snapshots/2015/06/07/
DISTNAME=	${PORTNAME}-${PORTVERSION:r1=rc1}

MAINTAINER=	vmagerya@gmail.com
COMMENT=	Scheme-to-C compiler

CPE_VENDOR=	call-cc
MAKEFILE=	GNUmakefile
USE_LDCONFIG=	yes
MAKE_ARGS+=	PLATFORM=bsd \
		PREFIX=${PREFIX} \
		MANDIR=${PREFIX}/man \
		LIBDIR="${PREFIX}/lib" \
		DOCDIR="${DOCSDIR}" \
		ARCH=${NEW_ARCH} \
		C_COMPILER="${CC}" \
		CXX_COMPILER="${CXX}" \
		LIBRARIAN="${AR}" \
		DOCDIR="${DOCSDIR}" \
		C_COMPILER_OPTIMIZATION_OPTIONS="${CFLAGS}"

NEW_ARCH=	${ARCH:S/i386/x86/:S/amd64/x86-64/}


post-install:
	${INSTALL_DATA} ${WRKSRC}/NEWS ${STAGEDIR}${DOCSDIR}
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/*
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/chicken/7/*.so
	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libchicken*

# This only works *after* chicken is installed.
regression-test: build

Lines 1-2 Link Here

(-)lang/chicken/distinfo (-2 / +2 lines)
1	SHA256 (chicken-4.9.0.1.tar.gz) = 04df7c439c36fc16446bdfa186e7a70258f911d2d826b5216a8e6b1cb2aa2815	1	SHA256 (chicken-4.10.0rc1.tar.gz) = b5cc7c2d270d11f56a52da1b78950ada27d9bce2496b8ba230542d104b5477f0
2	SIZE (chicken-4.9.0.1.tar.gz) = 4023371	2	SIZE (chicken-4.10.0rc1.tar.gz) = 4033834





-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="e7b7f2b5-177a-11e5-ad33-f8d111029e6a">
    <topic>chicken -- Potential buffer overrun in string-translate*</topic>
    <affects>
      <package>
	<name>chicken</name>
	<range><lt>4.10.0r1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>chicken developer Peter Bex reports:</p>
	<blockquote cite="http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html">
	  <p>Using gcc's Address Sanitizer, it was discovered that the string-translate*
	    procedure from the data-structures unit can scan beyond the input string's
	    length up to the length of the source strings in the map that's passed to
	    string-translate*.	This issue was fixed in master 8a46020, and it will
	    make its way into CHICKEN 4.10.</p>

	  <p>This bug is present in all released versions of CHICKEN.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2015-4556</cvename>
      <mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html</mlist>
      <mlist>http://lists.nongnu.org/archive/html/chicken-hackers/2015-06/msg00037.html</mlist>
    </references>
    <dates>
      <discovery>2010-09-15</discovery>
      <entry>2015-06-20</entry>
    </dates>
  </vuln>

  <vuln vid="968d1e74-1740-11e5-a643-40a8f0757fb4">
    <topic>p5-Dancer -- possible to abuse session cookie values</topic>
    <affects>

Return to bug 200980

Lines 2-11 Link Here

(-)lang/chicken/Makefile (-6 / +12 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= chicken	4	PORTNAME= chicken
5	PORTVERSION= 4.9.0.1	5	PORTVERSION= 4.10.0r1
6	PORTREVISION= 1
7	CATEGORIES= lang scheme	6	CATEGORIES= lang scheme
8	MASTER_SITES= http://code.call-cc.org/releases/4.9.0/	7	MASTER_SITES= http://code.call-cc.org/dev-snapshots/2015/06/07/
		8	DISTNAME= ${PORTNAME}-${PORTVERSION:r1=rc1}
9		9
10	MAINTAINER= vmagerya@gmail.com	10	MAINTAINER= vmagerya@gmail.com
11	COMMENT= Scheme-to-C compiler	11	COMMENT= Scheme-to-C compiler
Lines 14-25 Link Here
14	CPE_VENDOR= call-cc	14	CPE_VENDOR= call-cc
15	MAKEFILE= GNUmakefile	15	MAKEFILE= GNUmakefile
16	USE_LDCONFIG= yes	16	USE_LDCONFIG= yes
17	MAKE_ARGS+= PLATFORM=bsd PREFIX=${PREFIX} \	17	MAKE_ARGS+= PLATFORM=bsd \
18	TOPMANDIR=${PREFIX}/man ARCH=${NEW_ARCH} \	18	PREFIX=${PREFIX} \
		19	MANDIR=${PREFIX}/man \
		20	LIBDIR="${PREFIX}/lib" \
		21	DOCDIR="${DOCSDIR}" \
		22	ARCH=${NEW_ARCH} \
19	C_COMPILER="${CC}" \	23	C_COMPILER="${CC}" \
20	CXX_COMPILER="${CXX}" \	24	CXX_COMPILER="${CXX}" \
21	LIBRARIAN="${AR}" \	25	LIBRARIAN="${AR}" \
22	DOCDIR="${DOCSDIR}" \
23	C_COMPILER_OPTIMIZATION_OPTIONS="${CFLAGS}"	26	C_COMPILER_OPTIMIZATION_OPTIONS="${CFLAGS}"
24		27
25	NEW_ARCH= ${ARCH:S/i386/x86/:S/amd64/x86-64/}	28	NEW_ARCH= ${ARCH:S/i386/x86/:S/amd64/x86-64/}
Lines 34-39 Link Here
34		37
35	post-install:	38	post-install:
36	${INSTALL_DATA} ${WRKSRC}/NEWS ${STAGEDIR}${DOCSDIR}	39	${INSTALL_DATA} ${WRKSRC}/NEWS ${STAGEDIR}${DOCSDIR}
		40	${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/*
		41	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/chicken/7/*.so
		42	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libchicken*
37		43
38	# This only works after chicken is installed.	44	# This only works after chicken is installed.
39	regression-test: build	45	regression-test: build

Lines 57-62 Link Here

(-)security/vuxml/vuln.xml (+33 lines)
57		57
58	-->	58	-->
59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	59	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		60	<vuln vid="e7b7f2b5-177a-11e5-ad33-f8d111029e6a">
		61	<topic>chicken -- Potential buffer overrun in string-translate*</topic>
		62	<affects>
		63	<package>
		64	<name>chicken</name>
		65	<range><lt>4.10.0r1</lt></range>
		66	</package>
		67	</affects>
		68	<description>
		69	<body xmlns="http://www.w3.org/1999/xhtml">
		70	<p>chicken developer Peter Bex reports:</p>
		71	<blockquote cite="http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html">
		72	<p>Using gcc's Address Sanitizer, it was discovered that the string-translate*
		73	procedure from the data-structures unit can scan beyond the input string's
		74	length up to the length of the source strings in the map that's passed to
		75	string-translate*. This issue was fixed in master 8a46020, and it will
		76	make its way into CHICKEN 4.10.</p>
		77
		78	<p>This bug is present in all released versions of CHICKEN.</p>
		79	</blockquote>
		80	</body>
		81	</description>
		82	<references>
		83	<cvename>CVE-2015-4556</cvename>
		84	<mlist>http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html</mlist>
		85	<mlist>http://lists.nongnu.org/archive/html/chicken-hackers/2015-06/msg00037.html</mlist>
		86	</references>
		87	<dates>
		88	<discovery>2010-09-15</discovery>
		89	<entry>2015-06-20</entry>
		90	</dates>
		91	</vuln>
		92
60	<vuln vid="968d1e74-1740-11e5-a643-40a8f0757fb4">	93	<vuln vid="968d1e74-1740-11e5-a643-40a8f0757fb4">
61	<topic>p5-Dancer -- possible to abuse session cookie values</topic>	94	<topic>p5-Dancer -- possible to abuse session cookie values</topic>
62	<affects>	95	<affects>