Bug 27200

Summary: guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606
Product: Mageia Reporter: Martin Whitaker <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: guile1.8-1.8.8-25.mga7.src.rpm CVE: CVE-2016-8605, CVE-2016-8606
Status comment:

Description Martin Whitaker 2020-08-26 12:34:38 CEST 
In the process of fixing the build in cauldron, I noticed Fedora have a patch for their guile 1.8 package for this CVE. I've added it in cauldron, but I guess this should also be applied to Mageia 7.
Comment 1 Aurelien Oudelet 2020-08-26 12:43:00 CEST 
Hi Martin,
Thanks reporting this,
Assigning this to all packagers as their is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-26 13:04:47 CEST 
Already handled in Bug 19567.
Comment 3 Martin Whitaker 2020-08-26 13:13:15 CEST 
(In reply to David Walser from comment #2)
> Already handled in Bug 19567.

No, that only fixed the guile package, not guile1.8.
Comment 4 David Walser 2020-08-26 22:08:05 CEST 
Ouch!  Can we drop guile1.8 in Cauldron finally???

Summary: guile 1.8 CVE-2016-8605 => guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606
Source RPM: guile1.8-1.8.8-25.mga7 => guile1.8-1.8.8-25.mga7.src.rpm

Comment 5 Martin Whitaker 2020-08-27 01:15:41 CEST 
(In reply to David Walser from comment #4)
> Ouch!  Can we drop guile1.8 in Cauldron finally???

I did look at that. There are only 3 packages still using it, drgeo, lilypond, and texmacs.

drgeo is a very old version and is replaced upstream by a complete rewrite in an obscure programming language. Don't know how easy it would be to package.

The lilypond website still states it requires guile 1.8, but both Fedora and Gentoo have switched to guile 2.2 with the latest 2.21 version of lilypond. However, we only have guile 2.0 in cauldron.

texmacs only works with guile 1.8.
David Walser 2020-12-28 18:43:33 CET

Status comment: (none) => Patch available in Cauldron

Comment 6 David Walser 2021-06-28 21:45:54 CEST 
Patch for CVE-2016-8605 synced from Cauldron to Mageia 7:
guile1.8-1.8.8-25.1.mga7
libguile17-1.8.8-25.1.mga7
libguile1.8-devel-1.8.8-25.1.mga7
guile1.8-runtime-1.8.8-25.1.mga7

from guile1.8-1.8.8-25.1.mga7.src.rpm

Status comment: Patch available in Cauldron => (none)
Assignee: pkg-bugs => qa-bugs

Comment 7 Thomas Andrews 2021-07-12 03:11:29 CEST 
Chose to use texmacs for testing, after reading Comment 5. Installed texmacs in a VirtualBox mga7 Plasma system, plus dependencies, 66 packages in all, including guile1.8-runtime and lib64guile17.

Downloaded an example texmacs document containing lots of mathematical symbols and formulae from http://www.texmacs.org/tmdoc/examples/examples.en.html, and displayed it in texmacs.

Updated the guile packages, with no issues. Displayed the texmacs document again, with no issues.

This one's good to go.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 8 Aurelien Oudelet 2021-07-12 20:46:45 CEST 
type: security
subject: Updated guile1.8 packages fix security vulnerabilities
CVE:
 - CVE-2016-3605
 - CVE-2016-3606
src:
  7:
   core:
     - guile1.8-1.8.8-25.1.mga7
description: |
  The mkdir procedure of GNU Guile temporarily changed the process' umask to
  zero. During that time window, in a multithreaded application, other threads
  could end up creating files with insecure permissions. For example, mkdir
  without the optional mode argument would create directories as 0777. This is
  fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).
  
  The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute
  arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=27200
 - https://bugs.mageia.org/show_bug.cgi?id=19567

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2016-8605, CVE-2016-8606

Comment 9 David Walser 2021-07-12 21:21:31 CEST 
Nope, this one only fixes CVE-2016-3605.

Keywords: advisory => (none)

Comment 10 Aurelien Oudelet 2021-07-12 21:27:34 CEST 
Already sent by tmb, I'm sorry, I should do carefully read Comment 6. I was misled by the title which mentions CVE-2016-8606)... Sorry.

Revision: 12202
Author:   tmb
Date:     2021-07-12 21:14:11 +0200 (Mon, 12 Jul 2021)
Log Message:
-----------
MGASA-2021-0340: guile1.8-1.8.8-25.1.mga7

Modified Paths:
--------------
    27200.adv

Modified: 27200.adv
===================================================================
--- 27200.adv   2021-07-12 19:09:21 UTC (rev 12201)
+++ 27200.adv   2021-07-12 19:14:11 UTC (rev 12202)
@@ -19,3 +19,4 @@
 references:
  - https://bugs.mageia.org/show_bug.cgi?id=27200
  - https://bugs.mageia.org/show_bug.cgi?id=19567
+ID: MGASA-2021-0340
Comment 11 David Walser 2021-07-12 21:34:27 CEST 
You can still fix it in SVN and the wiki advisory will be fixed later.
Comment 12 Thomas Backlund 2021-07-12 21:37:34 CEST 
advisory already fixed
Thomas Backlund 2021-07-12 21:37:44 CEST

Keywords: (none) => advisory

Comment 13 Aurelien Oudelet 2021-07-12 21:38:58 CEST 
(In reply to David Walser from comment #11)
> You can still fix it in SVN and the wiki advisory will be fixed later.

"Magic TaaS" tmb already did this.
Many thanks to him.
Comment 14 Mageia Robot 2021-07-12 22:27:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0340.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED