Mageia: 2021-0340 Severe: Guile1.8 Permission Flaw And Code Risk
mageia
July 12, 2021
The mkdir procedure of GNU Guile temporarily changed the process' umask to zero
Summary
The mkdir procedure of GNU Guile temporarily changed the process' umask to
zero. During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories as 0777. This is
fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).
The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute
arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).
References
- https://bugs.mageia.org/show_bug.cgi?id=27200
- https://bugs.mageia.org/show_bug.cgi?id=19567
- https://www.cve.org/CVERecord?id=CVE-2016-3605
- https://www.cve.org/CVERecord?id=CVE-2016-3606
Topics Covered
Resolution
SRPMS
- 7/core/guile1.8-1.8.8-25.1.mga7
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 12 Jul 2021
URL: https://advisories.mageia.org/MGASA-2021-0340.html
Type: security
CVE: CVE-2016-3605,
CVE-2016-3606
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!