Updated guile packages fix security vulnerability
Publication date: 23 Oct 2016Modification date: 23 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-8605 , CVE-2016-8606
Description
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions (CVE-2016-8605).
GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes. The REPL server is vulnerable to the
HTTP inter-protocol attack. This constitutes a remote code execution
vulnerability for developers running a REPL server that listens on a
loopback device or private network (CVE-2016-8606).
The guile package has been updated to version 2.0.13, fixing these
issues and other bugs. See the upstream release announcements for
details.
References
- https://bugs.mageia.org/show_bug.cgi?id=19567
- http://www.openwall.com/lists/oss-security/2016/10/12/1
- http://www.openwall.com/lists/oss-security/2016/10/12/2
- http://lwn.net/Vulnerabilities/703769/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8605
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8606
SRPMS
5/core
- guile-2.0.13-1.mga5