Advisories » MGASA-2016-0354

Updated guile packages fix security vulnerability

Publication date: 23 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8605 , CVE-2016-8606


The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme 
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions (CVE-2016-8605).

GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes. The REPL server is vulnerable to the
HTTP inter-protocol attack. This constitutes a remote code execution
vulnerability for developers running a REPL server that listens on a
loopback device or private network (CVE-2016-8606).

The guile package has been updated to version 2.0.13, fixing these
issues and other bugs. See the upstream release announcements for