[3.5] guile: multiple issues (CVE-2016-8605, CVE-2016-8606)
CVE-2016-8605: Thread-unsafe umask modification
The mkdir procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.
For example, mkdir without the optional mode argument would create
directories as 0777.
Fixed In Version:
guile 2.0.13
Reference:
http://seclists.org/oss-sec/2016/q4/92
Patch:
CVE-2016-8606: REPL server vulnerable to HTTP inter-protocol attacks
The REPL server is vulnerable to the HTTP inter-protocol attack
This constitutes a remote code execution vulnerability for developers
running a REPL server that listens on a loopback device or private
network.
Applications that do not run a REPL server, as is usually the case, are
unaffected.
Fixed In Version:
guile 2.0.13
Reference:
http://seclists.org/oss-sec/2016/q4/100
Patch:
(from redmine: issue id 6364, created on 2016-10-18, closed on 2017-09-05)
- Relations:
- parent #6363 (closed)