CVE-2016-6831

Name	CVE-2016-6831
Description	The "process-execute" and "process-spawn" procedures did not free memory correctly when the execve() call failed, resulting in a memory leak. This could be abused by an attacker to cause resource exhaustion or a denial of service. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released).
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DLA-643-1
NVD severity	medium (attack range: remote)
Debian Bugs	834845

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
chicken (PTS)	wheezy	4.7.0-1	vulnerable
	wheezy (security)	4.7.0-1+deb7u2	fixed
	jessie	4.9.0.1-1	vulnerable
	stretch, buster, sid	4.11.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
chicken	source	(unstable)	(unfixed)	medium		834845
chicken	source	wheezy	4.7.0-1+deb7u1	medium	DLA-643-1

Notes

[stretch] - chicken <no-dsa> (Minor issue)
[jessie] - chicken <no-dsa> (Minor issue)
Fixed in the same upstream patch which is provided for CVE-2016-6830