[arch-security] [ASA-201610-10] guile: multiple issues
Arch Linux Security Advisory ASA-201610-10 ========================================== Severity: High Date : 2016-10-16 CVE-ID : CVE-2016-8605 CVE-2016-8606 Package : guile Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package guile before version 2.0.13-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 2.0.13-1. # pacman -Syu "guile>=2.0.13-1" The problems have been fixed upstream in version 2.0.13. Workaround ========== - CVE-2016-8606 (arbitrary code execution) Bind the REPL server to a Unix-domain socket. guile --listen=/tmp/guile-socket Description =========== - CVE-2016-8605 (information disclosure) The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. - CVE-2016-8606 (arbitrary code execution) It was reported that the REPL server is vulnerable to the HTTP inter- protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected. Impact ====== A remote attacker is able to execute arbitrary code via a HTTP inter-protocol attack if the REPL server is listening on a loopback device or private network. Running a multi-threaded guile application can cause directories or files to be created with world readable/writable/executable permissions during a small window which leads to information disclosure. References ========== http://www.openwall.com/lists/oss-security/2016/10/11/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 https://access.redhat.com/security/cve/CVE-2016-8605 https://access.redhat.com/security/cve/CVE-2016-8606 https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html
participants (1)
-
Jelle van der Waa