CVEs have been requested for two security issues fixed upstream in guile: http://openwall.com/lists/oss-security/2016/10/11/1 http://openwall.com/lists/oss-security/2016/10/11/9 The fixes will be included in 2.0.13 and commits are linked in the messages above.
CVE-2016-8605, CVE-2016-8606 assigned: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2
Summary: guile new security issues fixed upstream => guile new security issues fixed upstream (CVE-2016-8605, CVE-2016-8606)
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC: (none) => arnaud.patard, cjw, fundawang, jani.valimaa, marja11, mitya, olav, thierry.vignaudAssignee: bugsquad => pkg-bugs
Freeze push requested for cauldron.
CC: (none) => mrambo
Thanks, uploaded for Cauldron. These issues may affect Mageia 5 as well, so we should look at backporting those commits (or updating if necessary).
Version: Cauldron => 5
URL: (none) => http://lwn.net/Vulnerabilities/703769/
Patched package uploaded for Mageia 5. Advisory: ======================== Updated guile package fixes security vulnerability: The âmkdirâ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the processâ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions (CVE-2016-8605). GNU Guile, an implementation of the Scheme language, provides a âREPL serverâ which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network (CVE-2016-8606). The guile package has been updated to version 2.0.13, fixing these issues and other bugs. See the upstream release announcements for details. References: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 http://lwn.net/Vulnerabilities/703769/ ======================== Updated packages in core/updates_testing: ======================== guile-2.0.13-1.mga5 from guile-2.0.13-1.mga5.src.rpm
Assignee: pkg-bugs => qa-bugs
Patched package uploaded for Mageia 5. Corrected Advisory: ======================== Updated guile package fixes security vulnerability: The âmkdirâ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the processâ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions (CVE-2016-8605). GNU Guile, an implementation of the Scheme language, provides a âREPL serverâ which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is vulnerable to the HTTP inter-protocol attack. This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network (CVE-2016-8606). The guile package has been updated to version 2.0.13, fixing these issues and other bugs. See the upstream release announcements for details. References: http://www.openwall.com/lists/oss-security/2016/10/12/1 http://www.openwall.com/lists/oss-security/2016/10/12/2 https://lists.gnu.org/archive/html/info-gnu/2014-03/msg00006.html https://lists.gnu.org/archive/html/guile-devel/2014-03/msg00052.html https://lists.gnu.org/archive/html/info-gnu/2016-07/msg00007.html https://lists.gnu.org/archive/html/info-gnu/2016-10/msg00009.html ======================== Updated packages in core/updates_testing: ======================== guile-2.0.13-1.mga5 from guile-2.0.13-1.mga5.src.rpm
Potential test procedure: from http://www.delorie.com/gnu/docs/guile/guile-tut_7.html 1) create a file hello.scm 2) add: #!/bin/guile -s !# (display "hello world") (newline) 3) save; use chmod to make it executable; and run it
Whiteboard: (none) => has_procedure
MGA5-32 on Acer D620 Xfce No installation issues Followed procedure as per Comment 7: at CLI $ ./hello.scm hello world
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory
Testing Mageia 5 x64 Once again, many thanks to Mike for a test procedure. BEFORE update, installed guile from normal repos: guile 2.0.9 5.mga5 x86_64 guile-runtime 2.0.9 5.mga5 x86_64 lib64guile2.0_22 2.0.9 5.mga5 x86_64 Note that 3 packages were installed, not just that in Comment 6 - the first. Running the little test: $ ./hello.scm ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0 ;;; or pass the --no-auto-compile argument to disable. ;;; compiling /home/lewis/tmp/./hello.scm ;;; compiled /home/lewis/.cache/guile/ccache/2.0-LE-8-2.0/home/lewis/tmp/hello.scm.go hello world [the actual output] AFTER the update, which went smoothly: guile-2.0.13-1.mga5 guile-runtime-2.0.13-1.mga5 lib64guile2.0_22-2.0.13-1.mga5 Note again the 3 packages. $ ./hello.scm hello world OK. Validating. Advisory already done.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK advisory => has_procedure MGA5-32-OK advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0354.html
Status: NEW => RESOLVEDResolution: (none) => FIXED