guile: multiple issues

2016-10-16T00:00:00
ID ASA-201610-10
Type archlinux
Reporter Arch Linux
Modified 2016-10-16T00:00:00

Description

  • CVE-2016-8605 (information disclosure)

The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777.

  • CVE-2016-8606 (arbitrary code execution)

It was reported that the REPL server is vulnerable to the HTTP inter- protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected.