| Summary: | guile new security issues fixed upstream (CVE-2016-8605, CVE-2016-8606) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | arnaud.patard, cjw, fundawang, herman.viaene, jani.valimaa, lewyssmith, marja11, mhrambo3501, mitya, olav, sysadmin-bugs, thierry.vignaud |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/703769/ | ||
| Whiteboard: | has_procedure MGA5-32-OK advisory MGA5-64-OK | ||
| Source RPM: | guile-2.0.11-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-10-11 23:17:59 CEST
CVE-2016-8605, CVE-2016-8606 assigned: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 Summary:
guile new security issues fixed upstream =>
guile new security issues fixed upstream (CVE-2016-8605, CVE-2016-8606) Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
arnaud.patard, cjw, fundawang, jani.valimaa, marja11, mitya, olav, thierry.vignaud Freeze push requested for cauldron. CC:
(none) =>
mrambo Thanks, uploaded for Cauldron. These issues may affect Mageia 5 as well, so we should look at backporting those commits (or updating if necessary). Version:
Cauldron =>
5
David Walser
2016-10-17 18:30:27 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/703769/ Patched package uploaded for Mageia 5. Advisory: ======================== Updated guile package fixes security vulnerability: The âmkdirâ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the processâ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions (CVE-2016-8605). GNU Guile, an implementation of the Scheme language, provides a âREPL serverâ which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network (CVE-2016-8606). The guile package has been updated to version 2.0.13, fixing these issues and other bugs. See the upstream release announcements for details. References: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 http://lwn.net/Vulnerabilities/703769/ ======================== Updated packages in core/updates_testing: ======================== guile-2.0.13-1.mga5 from guile-2.0.13-1.mga5.src.rpm Assignee:
pkg-bugs =>
qa-bugs Patched package uploaded for Mageia 5. Corrected Advisory: ======================== Updated guile package fixes security vulnerability: The âmkdirâ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the processâ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions (CVE-2016-8605). GNU Guile, an implementation of the Scheme language, provides a âREPL serverâ which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network (CVE-2016-8606). The guile package has been updated to version 2.0.13, fixing these issues and other bugs. See the upstream release announcements for details. References: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 https://lists.gnu.org/archive/html/info-gnu/2014-03/msg00006.html https://lists.gnu.org/archive/html/guile-devel/2014-03/msg00052.html https://lists.gnu.org/archive/html/info-gnu/2016-07/msg00007.html https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html ======================== Updated packages in core/updates_testing: ======================== guile-2.0.13-1.mga5 from guile-2.0.13-1.mga5.src.rpm Potential test procedure: from http://www.delorie.com/gnu/docs/guile/guile-tut_7.html 1) create a file hello.scm 2) add: #!/bin/guile -s !# (display "hello world") (newline) 3) save; use chmod to make it executable; and run it
Mike Rambo
2016-10-18 19:38:26 CEST
Whiteboard:
(none) =>
has_procedure MGA5-32 on Acer D620 Xfce No installation issues Followed procedure as per Comment 7: at CLI $ ./hello.scm hello world CC:
(none) =>
herman.viaene Advisory uploaded. CC:
(none) =>
lewyssmith Testing Mageia 5 x64 Once again, many thanks to Mike for a test procedure. BEFORE update, installed guile from normal repos: guile 2.0.9 5.mga5 x86_64 guile-runtime 2.0.9 5.mga5 x86_64 lib64guile2.0_22 2.0.9 5.mga5 x86_64 Note that 3 packages were installed, not just that in Comment 6 - the first. Running the little test: $ ./hello.scm ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0 ;;; or pass the --no-auto-compile argument to disable. ;;; compiling /home/lewis/tmp/./hello.scm ;;; compiled /home/lewis/.cache/guile/ccache/2.0-LE-8-2.0/home/lewis/tmp/hello.scm.go hello world [the actual output] AFTER the update, which went smoothly: guile-2.0.13-1.mga5 guile-runtime-2.0.13-1.mga5 lib64guile2.0_22-2.0.13-1.mga5 Note again the 3 packages. $ ./hello.scm hello world OK. Validating. Advisory already done. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0354.html Status:
NEW =>
RESOLVED |