Call-cc : Security Vulnerabilities, CVEs, CVSS score >= 9

egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS command execution during package installation via escape characters in a .egg file.

The "process-execute" and "process-spawn" procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call. This would allow user-supplied argument/environment variable lists to trigger a buffer overrun. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released).

Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function.

OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

Chicken before 4.8.0 is susceptible to algorithmic complexity attacks related to hash table collisions.