Context Navigation

Changes between Initial Version and Version 3 of Ticket #8436

Timestamp:: 10/17/2016 03:51:07 PM (8 years ago)
Author:: Douglas R. Reno
Comment:: Bruce, just updating the description with the list of security fixes and marking as high. Missed these while I was away from both of my email accounts.

Ticket #8436
- Property Owner changed from blfs-book@… to bdubbs@…
- Property Status new → closed
- Property Resolution → fixed
- Property Summary guile-2.0.13 → guile-2.0.13 (CVE-2016-8605 CVE-2016-8606)

-              initial
+              v3
 New point version
+{{{
+Description
+===========
+- CVE-2016-8605 (information disclosure)
+The mkdir procedure of GNU Guile, an implementation of the
+Scheme programming language, temporarily changed the
+process' umask to zero.  During that time window, in a
+multithreaded application, other threads could end up
+creating files with insecure permissions. For example, mkdir
+without the optional mode argument would create directories
+as 0777.
+- CVE-2016-8606 (arbitrary code execution)
+It was  reported that the REPL server is vulnerable to the
+HTTP inter- protocol attack. This constitutes a remote code
+execution vulnerability for developers running a REPL server
+that listens on a loopback device or private network.
+Applications that do not run a REPL server, as is usually
+the case, are unaffected.
+Impact
+======
+A remote attacker is able to execute arbitrary code via a HTTP
+inter-protocol attack if the REPL server is listening on a
+loopback device or private network.
+Running a multi-threaded guile application can cause
+directories or files to be created with world
+readable/writable/executable permissions during a small window
+which leads to information disclosure.
+}}}
+[http://www.openwall.com/lists/oss-security/2016/10/11/1]
+[http://www.openwall.com/lists/oss-security/2016/10/12/2]