guile: two vulnerabilities
| Package(s): | guile | CVE #(s): | CVE-2016-8605 CVE-2016-8606 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | October 17, 2016 | Updated: | February 17, 2017 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Arch Linux advisory:
- CVE-2016-8605 (information disclosure): The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. - CVE-2016-8606 (arbitrary code execution): It was reported that the REPL server is vulnerable to the HTTP inter- protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. A remote attacker is able to execute arbitrary code via a HTTP inter-protocol attack if the REPL server is listening on a loopback device or private network. Running a multi-threaded guile application can cause directories or files to be created with world readable/writable/executable permissions during a small window which leads to information disclosure. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||