[arch-security] [ASA-201610-10] guile: multiple issues

Jelle van der Waa jelle at archlinux.org
Sun Oct 16 18:08:29 UTC 2016


Arch Linux Security Advisory ASA-201610-10
==========================================

Severity: High
Date    : 2016-10-16
CVE-ID  : CVE-2016-8605 CVE-2016-8606
Package : guile
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package guile before version 2.0.13-1 is vulnerable to
multiple issues including arbitrary code execution and
information disclosure.

Resolution
==========

Upgrade to 2.0.13-1.

# pacman -Syu "guile>=2.0.13-1"

The problems have been fixed upstream in version 2.0.13.

Workaround
==========

- CVE-2016-8606 (arbitrary code execution)

Bind the REPL server to a Unix-domain socket.

  guile --listen=/tmp/guile-socket

Description
===========

- CVE-2016-8605 (information disclosure)

The mkdir procedure of GNU Guile, an implementation of the
Scheme programming language, temporarily changed the
process' umask to zero.  During that time window, in a
multithreaded application, other threads could end up
creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories
as 0777.

- CVE-2016-8606 (arbitrary code execution)

It was  reported that the REPL server is vulnerable to the
HTTP inter- protocol attack. This constitutes a remote code
execution vulnerability for developers running a REPL server
that listens on a loopback device or private network.
Applications that do not run a REPL server, as is usually
the case, are unaffected.

Impact
======

A remote attacker is able to execute arbitrary code via a HTTP
inter-protocol attack if the REPL server is listening on a
loopback device or private network.

Running a multi-threaded guile application can cause
directories or files to be created with world
readable/writable/executable permissions during a small window
which leads to information disclosure.

References
==========

http://www.openwall.com/lists/oss-security/2016/10/11/1
http://www.openwall.com/lists/oss-security/2016/10/12/2
https://access.redhat.com/security/cve/CVE-2016-8605
https://access.redhat.com/security/cve/CVE-2016-8606
https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161016/166ad416/attachment.asc>


More information about the arch-security mailing list