[arch-security] [ASA-201610-10] guile: multiple issues
Jelle van der Waa
jelle at archlinux.org
Sun Oct 16 18:08:29 UTC 2016
Arch Linux Security Advisory ASA-201610-10
==========================================
Severity: High
Date : 2016-10-16
CVE-ID : CVE-2016-8605 CVE-2016-8606
Package : guile
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package guile before version 2.0.13-1 is vulnerable to
multiple issues including arbitrary code execution and
information disclosure.
Resolution
==========
Upgrade to 2.0.13-1.
# pacman -Syu "guile>=2.0.13-1"
The problems have been fixed upstream in version 2.0.13.
Workaround
==========
- CVE-2016-8606 (arbitrary code execution)
Bind the REPL server to a Unix-domain socket.
guile --listen=/tmp/guile-socket
Description
===========
- CVE-2016-8605 (information disclosure)
The mkdir procedure of GNU Guile, an implementation of the
Scheme programming language, temporarily changed the
process' umask to zero. During that time window, in a
multithreaded application, other threads could end up
creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories
as 0777.
- CVE-2016-8606 (arbitrary code execution)
It was reported that the REPL server is vulnerable to the
HTTP inter- protocol attack. This constitutes a remote code
execution vulnerability for developers running a REPL server
that listens on a loopback device or private network.
Applications that do not run a REPL server, as is usually
the case, are unaffected.
Impact
======
A remote attacker is able to execute arbitrary code via a HTTP
inter-protocol attack if the REPL server is listening on a
loopback device or private network.
Running a multi-threaded guile application can cause
directories or files to be created with world
readable/writable/executable permissions during a small window
which leads to information disclosure.
References
==========
http://www.openwall.com/lists/oss-security/2016/10/11/1
http://www.openwall.com/lists/oss-security/2016/10/12/2
https://access.redhat.com/security/cve/CVE-2016-8605
https://access.redhat.com/security/cve/CVE-2016-8606
https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161016/166ad416/attachment.asc>
More information about the arch-security
mailing list