Mageia 2021-0340: guile1.8 security update | LinuxSecurity.com

Advisories

MGASA-2021-0340 - Updated guile1.8 packages fix security vulnerabilities

Publication date: 12 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0340.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2016-3605,
     CVE-2016-3606

The mkdir procedure of GNU Guile temporarily changed the process' umask to
zero. During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories as 0777. This is
fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).

The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute
arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).

References:
- https://bugs.mageia.org/show_bug.cgi?id=27200
- https://bugs.mageia.org/show_bug.cgi?id=19567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3605
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606

SRPMS:
- 7/core/guile1.8-1.8.8-25.1.mga7

Mageia 2021-0340: guile1.8 security update

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero

Summary

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).
The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).

References

- https://bugs.mageia.org/show_bug.cgi?id=27200

- https://bugs.mageia.org/show_bug.cgi?id=19567

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3605

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606

Resolution

MGASA-2021-0340 - Updated guile1.8 packages fix security vulnerabilities

SRPMS

- 7/core/guile1.8-1.8.8-25.1.mga7

Severity
Publication date: 12 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0340.html
Type: security
CVE: CVE-2016-3605, CVE-2016-3606

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.