Bug 200980 - lang/chicken: CVE-2015-4556: out-of-bounds read in CHICKEN Scheme's string-translate* procedure
Summary: lang/chicken: CVE-2015-4556: out-of-bounds read in CHICKEN Scheme's string-tr...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL: http://openwall.com/lists/oss-securit...
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2015-06-20 02:05 UTC by Jason Unovitch
Modified: 2015-08-02 14:13 UTC (History)
4 users (show)

See Also:
vmagerya: maintainer-feedback+


Attachments
chicken-4.10.0rc1.diff (3.49 KB, patch)
2015-06-20 19:14 UTC, Vitaly Magerya
no flags Details | Diff
chicken-4.10.0r1.diff (3.53 KB, patch)
2015-06-21 17:23 UTC, Vitaly Magerya
vmagerya: maintainer-approval+
Details | Diff
Poudriere testport build logs from 10.1-RELEASE amd64 (54.70 KB, text/x-log)
2015-06-22 03:39 UTC, Jason Unovitch
no flags Details
security/vuxml entry to document both CVE-2015-4556 and CVE-2015-9651 (2.88 KB, patch)
2015-06-22 04:27 UTC, Jason Unovitch
no flags Details | Diff
chicken-4.10.0.r1,1.diff (1.61 KB, patch)
2015-06-22 10:58 UTC, Vitaly Magerya
vmagerya: maintainer-approval+
Details | Diff
chicken-4.10.0.r2,1.diff (1.66 KB, patch)
2015-07-05 13:49 UTC, Jason Unovitch
no flags Details | Diff
chicken-4.10.0.r2,1.log -- Poudriere testport from 10.1-RELEASE jail (54.80 KB, text/x-log)
2015-07-05 22:34 UTC, Jason Unovitch
no flags Details
lang/chicken: chicken-4.10.0.r4,1.patch (1018 bytes, patch)
2015-07-27 01:01 UTC, Jason Unovitch
junovitch: maintainer-approval+
Details | Diff
security/vuxml fixup (917 bytes, patch)
2015-07-27 01:04 UTC, Jason Unovitch
no flags Details | Diff
chicken-4.10.0.r4,1.log -- Poudriere testport from 10.1-RELEASE jail (55.00 KB, text/x-log)
2015-07-27 01:06 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-06-20 02:05:11 UTC
Chicken has recently been assigned a CVE for an out of bounds read issue.
http://openwall.com/lists/oss-security/2015/06/15/4

This is planned to be fixed in a future 4.10 release.
http://lists.nongnu.org/archive/html/chicken-announce/2015-06/msg00010.html

There is a patch available from upstream available here in light of 4.10 not being available.
http://lists.nongnu.org/archive/html/chicken-hackers/2015-06/msg00037.html
Comment 1 Vitaly Magerya 2015-06-20 19:14:54 UTC
Created attachment 157898 [details]
chicken-4.10.0rc1.diff

Unfortunately it is not as trivial as applying that patch to a
previous release: one of the files that patch touches must be
translated into C during the build, which requires an installed
version of chicken. Normally release tarballs include the generated
C file, but if the patch is applied that generated file becomes
obsolete, and the build process can not continue.

The solution is to use one of the release tarballs.

Since chicken 4.10 is not yet released, we could use 4.10.0rc1
for the time being. It's better than nothing.

Here's a patch for that, complete with a vuln.xml update.
Comment 2 Jason Unovitch freebsd_committer 2015-06-21 13:18:29 UTC
(In reply to Vitaly Magerya from comment #1)

QA:
# portlint -ac
FATAL: Makefile: PORTVERSION looks illegal. You should modify "4.10.0rc1".
WARN: Makefile: Consider defining LICENSE.

I have build tests pending now.
Comment 3 Vitaly Magerya 2015-06-21 17:23:53 UTC
Created attachment 157947 [details]
chicken-4.10.0r1.diff

> FATAL: Makefile: PORTVERSION looks illegal. You should modify "4.10.0rc1".

Portlint is being overly pedantic here in my opinion; 'pkg version' supports that version format flawlessly. In any case, here's an updated diff with fixed version string (no other changes).
Comment 4 Jason Unovitch freebsd_committer 2015-06-22 03:39:19 UTC
Created attachment 157966 [details]
Poudriere testport build logs from 10.1-RELEASE amd64

Testport attached, also testport build successful on the following:
8.4-RELEASE-p28      amd64
8.4-RELEASE-p28      i386
9.3-RELEASE-p14      amd64
9.3-RELEASE-p14      i386
10.1-RELEASE-p10     amd64
10.1-RELEASE-p10     i386
11.0-CURRENT r284104 amd64
11.0-CURRENT r284104 i386

Portlint fix resolves earlier error.
Comment 5 Jason Unovitch freebsd_committer 2015-06-22 04:19:15 UTC
Regarding security/vuxml documentation and a close action for the PR.

RC1 doesn't list CVE-2015-4556 as being fixed in the RC1 release notes here:
http://code.call-cc.org/dev-snapshots/2015/06/07/NEWS

- Security fixes
  - CVE-2014-6310: Use POSIX poll() on Android platform to avoid
    potential select() buffer overrun.
  - CVE-2014-9651: substring-index[-ci] no longer scans beyond string
    boundaries.

That was annouced 8 days after RC1 was released and the git commit for the fix was 7 days after RC1.  It does announce an earlier issue being fixed that hasn't been documented yet.
Comment 6 Jason Unovitch freebsd_committer 2015-06-22 04:27:44 UTC
Created attachment 157968 [details]
security/vuxml entry to document both CVE-2015-4556 and CVE-2015-9651

Tentative vuxml to document both issues while we hash out exactly what issue is fixed in what version.  Version string has tentatively been left at 4.10.0 since pkg was picking up the rc version as being newer then the release.
Comment 7 commit-hook freebsd_committer 2015-06-22 07:02:46 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 07:02:21 UTC 2015
New revision: 390276
URL: https://svnweb.freebsd.org/changeset/ports/390276

Log:
  Document lang/chicken vulnerabilities CVE-2014-9651 and CVE-2015-4556.

  PR:		200980
  Submitted by:	Jason Unovitch

Changes:
  head/security/vuxml/vuln.xml
Comment 8 commit-hook freebsd_committer 2015-06-22 07:08:49 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 07:08:27 UTC 2015
New revision: 390277
URL: https://svnweb.freebsd.org/changeset/ports/390277

Log:
  Update to 4.10.0 RC1.

  PR:		200980
  Submitted by:	maintainer (Vitaly Magerya)
  MFH:		2015Q2
  Security:	0da404ad-1891-11e5-a1cf-002590263bf5,
  		e7b7f2b5-177a-11e5-ad33-f8d111029e6a

Changes:
  head/lang/chicken/Makefile
  head/lang/chicken/distinfo
Comment 9 commit-hook freebsd_committer 2015-06-22 07:09:51 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 07:09:46 UTC 2015
New revision: 390278
URL: https://svnweb.freebsd.org/changeset/ports/390278

Log:
  MFH: r390277

  Update to 4.10.0 RC1.

  PR:		200980
  Submitted by:	maintainer (Vitaly Magerya)
  Security:	0da404ad-1891-11e5-a1cf-002590263bf5,
  		e7b7f2b5-177a-11e5-ad33-f8d111029e6a
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/lang/chicken/Makefile
  branches/2015Q2/lang/chicken/distinfo
Comment 10 Xin LI freebsd_committer 2015-06-22 07:10:03 UTC
Committed, thanks!
Comment 11 Vitaly Magerya 2015-06-22 10:58:11 UTC
Created attachment 157976 [details]
chicken-4.10.0.r1,1.diff

You're right, Jason; RC1 only fixes CVE-2014-9651 (substring-index*
issue), not CVE-2015-4556 (string-translate* issue). I did not
notice that.

That's not the only place I've messed up though. The current
version of lang/chicken is '4.10.0r1', and both CVE issues are
marked with '<range><lt>4.10.0</lt></range>'. Now observe:

    $ pkg version -t 4.10.0r1 4.10.0
    >

Whoops!

Note that the originally proposed version is actually better:

    $ pkg version -t 4.10.0rc1 4.10.0
    <

In any case, the correct version string I should have used is
'4.10.0.r1', but now that '4.10.0r1' has been committed, I'm
afraid we'll need to bump PORTEPOCH (which I'd prefer to avoid,
but I don't see how).

In short here's an additional patch, which changes the version
of lang/chicken to '4.10.0.r1,1', marks CVE-2015-4556 with
'<range><lt>4.10.0,1</lt></range>', and CVE-2014-9651 with
'<range><lt>4.10.0.r1,1</lt></range>'.

To double-check the version strings:

    $ pkg version -t 4.10.0r1 4.10.0.r1,1
    <

    $ pkg version -t 4.10.0.r1,1 4.10.0,1
    <

I hope I did not mess anything up this time...
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2015-06-22 11:05:39 UTC
Re-open for new attachment 157976 [details]

Assign to committer that closed.

Vitaly/Jason, please clarify exactly what Xin Li needs to do now given that the following changeset has already been committed:

https://svnweb.freebsd.org/changeset/ports/390278
Comment 13 Vitaly Magerya 2015-06-22 11:17:08 UTC
We share the vulnerability database across ports tree branches,
right? In this case, applying my last patch to the 2015Q2 branch
is preferable, but optional (if the patch is not applied, people
will see 4.10.0r1 version as having 2 vulnerabilities, while there
should only be 1, which is undesirable, but not fatal).
Comment 14 Jason Unovitch freebsd_committer 2015-06-22 19:16:43 UTC
My apologies for attaching a "tentative" patch.  We should have finished all of our discussion and agreed on the way ahead beforehand.

Vitaly,
The most logical way ahead I can see would be:

1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch with one minor suggested change. Due to the unfixed CVE, modify the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml entry before commit to include "<freebsdpr>ports/200980</freebsdpr>" as a reference for anyone looking for supplemental information.

2. MFH the lang/chicken/Makefile update to 2015Q2.  The security/vuxml under 2015Q2 hasn't been updated since the branch was made.

3. Hold this PR open until we can update to 4.10.0,1 for the release or RC2 comes out with the fix and we update to 4.10.0.r2,1

Does this make sense as our course of action?

Other comment, I see what you mean regarding the generated C files; it would certainly be a non-trivial amount of effort to backport the fix to the release tarball.
Comment 15 Vitaly Magerya 2015-06-22 21:29:43 UTC
(In reply to Jason Unovitch from comment #14)
> 1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch
> with one minor suggested change. Due to the unfixed CVE, modify
> the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml
> entry before commit to include "<freebsdpr>ports/200980</freebsdpr>"
> as a reference for anyone looking for supplemental information.

I'm OK with that addition.

Also, '<modified>2015-06-23</modified>' should be added to the
'<dates>' sections of both vuln entries (something I forgot to
include in chicken-4.10.0.r1,1.diff).

> 2. MFH the lang/chicken/Makefile update to 2015Q2.  The
> security/vuxml under 2015Q2 hasn't been updated since the branch
> was made.

Yes.

Note that security/vuxml in the quarterly branches is mostly
irrelevant, since 'pkg audit' uses data from vuxml.freebsd.org,
which is prepared from the head.

> 3. Hold this PR open until we can update to 4.10.0,1 for the
> release or RC2 comes out with the fix and we update to 4.10.0.r2,1
>
> Does this make sense as our course of action?

Yes.

> Other comment, I see what you mean regarding the generated C
> files; it would certainly be a non-trivial amount of effort to
> backport the fix to the release tarball.

My thinking is that while I could apply the patch to 4.9.0.1,
re-generate the needed C files, and provide a combined diff, it
would contain changes not directly approved by the chicken team,
so you'd need to trust that I (a random person on the internet)
did not hide a backdoor in that diff, which I think is too much
to ask.
Comment 16 Jason Unovitch freebsd_committer 2015-06-22 21:48:58 UTC
(In reply to Vitaly Magerya from comment #15)

>> 1. Apply the chicken-4.10.0.r1,1.diff to the ports/head branch
>> with one minor suggested change. Due to the unfixed CVE, modify
>> the CVE-2015-4556 / 0da404ad-1891-11e5-a1cf-002590263bf5 vuxml
>> entry before commit to include "<freebsdpr>ports/200980</freebsdpr>"
>> as a reference for anyone looking for supplemental information.
>
> I'm OK with that addition.
>
> Also, '<modified>2015-06-23</modified>' should be added to the
> '<dates>' sections of both vuln entries (something I forgot to
> include in chicken-4.10.0.r1,1.diff).

Good catch.

>> Other comment, I see what you mean regarding the generated C
>> files; it would certainly be a non-trivial amount of effort to
>> backport the fix to the release tarball.
>
> My thinking is that while I could apply the patch to 4.9.0.1,
> re-generate the needed C files, and provide a combined diff, it
> would contain changes not directly approved by the chicken team,
> so you'd need to trust that I (a random person on the internet)
> did not hide a backdoor in that diff, which I think is too much
> to ask.

The regenerated C file ended up being a 10,000+ line diff and had issues building anyway.  Backporting fixes in a way that is easy to audit is one thing but the nature of how this app works makes that new C file impossible to effectively audit.
Comment 17 Jason Unovitch freebsd_committer 2015-06-22 21:51:39 UTC
Xin,
The recommended course of action is in comment 14 above.

For item 1, as mentioned in comment 15 we'll need '<modified>2015-06-23</modified>' on both entries.  That wasn't in the 'chicken-4.10.0.r1,1.diff'
Comment 18 commit-hook freebsd_committer 2015-06-22 23:19:14 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 23:18:22 UTC 2015
New revision: 390340
URL: https://svnweb.freebsd.org/changeset/ports/390340

Log:
  Change version format (from 4.10.0r1 to 4.10.0.r1) and bump PORTEPOCH.
  This is because our current versioning system sees 4.10.0r1 > 4.10.0.

  vuxml change would follow.

  PR:		200980
  Submitted by:	maintainer (Vitaly Magerya)
  MFH:		2015Q2

Changes:
  head/lang/chicken/Makefile
Comment 19 commit-hook freebsd_committer 2015-06-22 23:23:16 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 23:22:24 UTC 2015
New revision: 390341
URL: https://svnweb.freebsd.org/changeset/ports/390341

Log:
  Reflect version range change after r390340.  While I'm there, also fix
  the CVE-2015-4556 entry because it's not yet fixed in the ports tree and
  add a reference to the PR while there.

  PR:		200980
  Submitted by:	Vitaly Magerya (with changes suggested by Jason Unovitch)

Changes:
  head/security/vuxml/vuln.xml
Comment 20 commit-hook freebsd_committer 2015-06-22 23:23:18 UTC
A commit references this bug:

Author: delphij
Date: Mon Jun 22 23:22:53 UTC 2015
New revision: 390342
URL: https://svnweb.freebsd.org/changeset/ports/390342

Log:
  MFH: r390340

  Change version format (from 4.10.0r1 to 4.10.0.r1) and bump PORTEPOCH.
  This is because our current versioning system sees 4.10.0r1 > 4.10.0.

  vuxml change would follow.

  PR:		200980
  Submitted by:	maintainer (Vitaly Magerya)
  Approved by:	ports-secteam

Changes:
_U  branches/2015Q2/
  branches/2015Q2/lang/chicken/Makefile
Comment 21 Xin LI freebsd_committer 2015-06-26 17:33:58 UTC
Comment on attachment 157947 [details]
chicken-4.10.0r1.diff

Committed, thanks!
Comment 22 Xin LI freebsd_committer 2015-06-26 17:34:16 UTC
Comment on attachment 157966 [details]
Poudriere testport build logs from 10.1-RELEASE amd64

This was committed, thanks for testing.
Comment 23 Xin LI freebsd_committer 2015-06-26 17:35:00 UTC
Comment on attachment 157968 [details]
security/vuxml entry to document both CVE-2015-4556 and CVE-2015-9651

Committed, thanks!
Comment 24 Xin LI freebsd_committer 2015-06-26 17:35:13 UTC
Comment on attachment 157976 [details]
chicken-4.10.0.r1,1.diff

Committed, thanks!
Comment 25 Jason Unovitch freebsd_committer 2015-07-05 13:49:11 UTC
Created attachment 158375 [details]
chicken-4.10.0.r2,1.diff

Bump to chicken-4.10.0.r2,1 with SHA256 of 85c8....2fba for the CVE-2015-4556 fix.  Vitaly, does this look good to you?

http://code.call-cc.org/dev-snapshots/2015/07/04/NEWS
http://code.call-cc.org/dev-snapshots/

Tested on my desktop in a 10.1-RELEASE Poudriere but other builds are pending on 11 down to 8.4 on my build test machine.  I'll provide a testport log later.
Comment 26 Vitaly Magerya 2015-07-05 20:04:33 UTC
(In reply to Jason Unovitch from comment #25)
The patch looks perfect, and I did notice this release appearing in the snapshot list (I have actually tested an identical patch this morning), but... this build has not yet been announced. Check out chicken-announce archive [1] -- it's got no mention of it at the moment. I think we should wait a day for that announcement to be posted.

[1] http://lists.nongnu.org/archive/html/chicken-announce/
Comment 27 Jason Unovitch freebsd_committer 2015-07-05 22:34:46 UTC
Created attachment 158401 [details]
chicken-4.10.0.r2,1.log -- Poudriere testport from 10.1-RELEASE jail

(In reply to Vitaly Magerya from comment #26)

Excellent.  Poudriere log attached and I've built on the jails listed below in Poudriere.  Go ahead and give the maintainer-feedback+ when you are ready for the commit.  Once that is committed and MFH'd to 2015Q3 everything this PR was opened for is done so it's ready to be closed.

Just a thought for the future, it makes sense to me when the final release is out to request that to MFH to 2015Q3 as well even if there are no security fixes just so we don't have a release candidate there.  That's outside of the scope of this PR but figured I would mention it.

8.4-RELEASE-p31      amd64
8.4-RELEASE-p31      i386
9.3-RELEASE-p17      amd64
9.3-RELEASE-p17      i386
10.1-RELEASE-p14     amd64
10.1-RELEASE-p14     i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 28 Kubilay Kocak freebsd_committer freebsd_triage 2015-07-06 05:05:20 UTC
Thank you both. Vitaliy, could you please obsolete (or ask Jason to obsolete) the patch that you dont want referenced by committers. 

I'm assuming its the r2 version, in which case please obsolete attachment 157976 [details] if i'm correct
Comment 29 Jason Unovitch freebsd_committer 2015-07-27 01:01:45 UTC
Created attachment 159285 [details]
lang/chicken: chicken-4.10.0.r4,1.patch

Vitaly,
4.10.0 RC4 has been released.  See http://lists.nongnu.org/archive/html/chicken-announce/2015-07/msg00001.html.  Are you ok with this patch?

Log:

Security update to Chicken 4.10.0 RC4

PR:		200980
Security:	CVE-2015-4556
Security:	0da404ad-1891-11e5-a1cf-002590263bf5
Approved by:	Vitaly Magerya (maintainer)
Submitted by:	Jason Unovitch
MFH:		2015Q3
Comment 30 Jason Unovitch freebsd_committer 2015-07-27 01:04:04 UTC
Created attachment 159286 [details]
security/vuxml fixup

Log:

Reflect Chicken 4.10.0 RC2 as the minimum version with the CVE-2015-4556 fix

PR:		200980
Security:	CVE-2015-4556
Security:	0da404ad-1891-11e5-a1cf-002590263bf5
Comment 31 Jason Unovitch freebsd_committer 2015-07-27 01:06:28 UTC
Created attachment 159287 [details]
chicken-4.10.0.r4,1.log -- Poudriere testport from 10.1-RELEASE jail

No issues noted in the logs.  Also Poudriere build tested on the following:

8.4-RELEASE-p31      amd64
8.4-RELEASE-p31      i386
9.3-RELEASE-p17      amd64
9.3-RELEASE-p17      i386
10.1-RELEASE-p14     amd64
10.1-RELEASE-p14     i386
10.2-BETA2           amd64
10.2-BETA2           i386
11.0-CURRENT r284725 amd64
11.0-CURRENT r284725 i386
Comment 32 Jason Unovitch freebsd_committer 2015-07-27 01:08:38 UTC
(In reply to Vitaly Magerya from comment #26)

Vitaly,
With this update, the CVE-2015-4556 fix that the PR was opened for and CVE-2014-9651 fix that we came across during QA are all addressed.  This will be ready to close with your go ahead.
Comment 33 Vitaly Magerya 2015-07-27 09:08:26 UTC
Yes, plase commit both patches.
Comment 34 Vitaly Magerya 2015-07-27 09:16:26 UTC
Comment on attachment 159285 [details]
lang/chicken: chicken-4.10.0.r4,1.patch

I've tried to put the "maintainer‑approval +" flag on the diff, but it doesn't seem to work... Maybe if I'll add a comment while setting that flag, it'll work.
Comment 35 Vitaly Magerya 2015-07-27 09:21:38 UTC
Comment on attachment 159285 [details]
lang/chicken: chicken-4.10.0.r4,1.patch

Nope. Unless I'm not seeing something obvious, it didn't work.

Please consider patches from comment #29 and comment #30 "approved".
Comment 36 Jason Unovitch freebsd_committer 2015-07-27 10:48:22 UTC
Comment on attachment 159285 [details]
lang/chicken: chicken-4.10.0.r4,1.patch

Set maintainer-approval+ based off comment #35.
Comment 37 Xin LI freebsd_committer 2015-07-27 18:48:19 UTC
Submitter is now committer, congratulations!
Comment 38 Jason Unovitch freebsd_committer 2015-07-28 01:11:17 UTC
(In reply to Jason Unovitch from comment #29)

Revised entry pending account access:

Security update to Chicken 4.10.0 RC4

PR:		200980
Security:	CVE-2015-4556
Security:	0da404ad-1891-11e5-a1cf-002590263bf5
Approved by:	delphij (mentor), Vitaly Magerya (maintainer)
MFH:		2015Q3
Comment 39 commit-hook freebsd_committer 2015-07-31 00:19:44 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jul 31 00:18:49 UTC 2015
New revision: 393282
URL: https://svnweb.freebsd.org/changeset/ports/393282

Log:
  Security update to Chicken 4.10.0 RC4

  PR:		200980
  Security:	CVE-2015-4556
  Security:	0da404ad-1891-11e5-a1cf-002590263bf5
  Approved by:	delphij (mentor), Vitaly Magerya (maintainer)
  MFH:		2015Q3

Changes:
  head/lang/chicken/Makefile
  head/lang/chicken/distinfo
Comment 40 commit-hook freebsd_committer 2015-07-31 00:26:47 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jul 31 00:26:35 UTC 2015
New revision: 393283
URL: https://svnweb.freebsd.org/changeset/ports/393283

Log:
  Reflect Chicken 4.10.0 RC2 as the minimum version with the CVE-2015-4556 fix

  PR:		200980
  Security:	CVE-2015-4556
  Security:	0da404ad-1891-11e5-a1cf-002590263bf5
  Approved by:	delphij (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 41 commit-hook freebsd_committer 2015-07-31 00:59:52 UTC
A commit references this bug:

Author: junovitch
Date: Fri Jul 31 00:59:10 UTC 2015
New revision: 393285
URL: https://svnweb.freebsd.org/changeset/ports/393285

Log:
  MFH: r393282

  Security update to Chicken 4.10.0 RC4

  PR:		200980
  Security:	CVE-2015-4556
  Security:	0da404ad-1891-11e5-a1cf-002590263bf5
  Approved by:	delphij (mentor), Vitaly Magerya (maintainer)
  Approved by:	ports-secteam (delphij)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/lang/chicken/Makefile
  branches/2015Q3/lang/chicken/distinfo
Comment 42 Jason Unovitch freebsd_committer 2015-07-31 01:04:51 UTC
Vitaly,
Thank you! Update has been committed and MFH'd to 2015Q3.
Comment 43 Jason Unovitch freebsd_committer 2015-08-02 14:13:43 UTC
Vitaly,
A suggestion that came up... It may be a bit late now but never too late to learn something new.  Something to keep in mind for next time is this syntax would have been cleaner and we wouldn't have had that "PORTVERSION looks illegal" issue.  

DISTVERSION=    4.10.0rc4