ArchLinux: 201610-10: guile: multiple issues
Summary
- CVE-2016-8605 (information disclosure)
The mkdir procedure of GNU Guile, an implementation of the
Scheme programming language, temporarily changed the
process' umask to zero. During that time window, in a
multithreaded application, other threads could end up
creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories
as 0777.
- CVE-2016-8606 (arbitrary code execution)
It was reported that the REPL server is vulnerable to the
HTTP inter- protocol attack. This constitutes a remote code
execution vulnerability for developers running a REPL server
that listens on a loopback device or private network.
Applications that do not run a REPL server, as is usually
the case, are unaffected.
Resolution
Upgrade to 2.0.13-1.
# pacman -Syu "guile>=2.0.13-1"
The problems have been fixed upstream in version 2.0.13.
References
https://www.openwall.com/lists/oss-security/2016/10/11/1 https://www.openwall.com/lists/oss-security/2016/10/12/2 https://access.redhat.com/security/cve/CVE-2016-8605 https://access.redhat.com/security/cve/CVE-2016-8606 https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html
Workaround
- CVE-2016-8606 (arbitrary code execution)Bind the REPL server to a Unix-domain socket. guile --listen=/tmp/guile-socket