Bug 27200 - guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606
Summary: guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-26 12:34 CEST by Martin Whitaker
Modified: 2021-07-12 22:27 CEST (History)
3 users (show)

See Also:
Source RPM: guile1.8-1.8.8-25.mga7.src.rpm
CVE: CVE-2016-8605, CVE-2016-8606
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Martin Whitaker 2020-08-26 12:34:38 CEST 
In the process of fixing the build in cauldron, I noticed Fedora have a patch for their guile 1.8 package for this CVE. I've added it in cauldron, but I guess this should also be applied to Mageia 7.
Comment 1 Aurelien Oudelet 2020-08-26 12:43:00 CEST 
Hi Martin,
Thanks reporting this,
Assigning this to all packagers as their is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2020-08-26 13:04:47 CEST 
Already handled in Bug 19567.
Comment 3 Martin Whitaker 2020-08-26 13:13:15 CEST 
(In reply to David Walser from comment #2)
> Already handled in Bug 19567.

No, that only fixed the guile package, not guile1.8.
Comment 4 David Walser 2020-08-26 22:08:05 CEST 
Ouch!  Can we drop guile1.8 in Cauldron finally???

Summary: guile 1.8 CVE-2016-8605 => guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606
Source RPM: guile1.8-1.8.8-25.mga7 => guile1.8-1.8.8-25.mga7.src.rpm

Comment 5 Martin Whitaker 2020-08-27 01:15:41 CEST 
(In reply to David Walser from comment #4)
> Ouch!  Can we drop guile1.8 in Cauldron finally???

I did look at that. There are only 3 packages still using it, drgeo, lilypond, and texmacs.

drgeo is a very old version and is replaced upstream by a complete rewrite in an obscure programming language. Don't know how easy it would be to package.

The lilypond website still states it requires guile 1.8, but both Fedora and Gentoo have switched to guile 2.2 with the latest 2.21 version of lilypond. However, we only have guile 2.0 in cauldron.

texmacs only works with guile 1.8.
David Walser 2020-12-28 18:43:33 CET

Status comment: (none) => Patch available in Cauldron

Comment 6 David Walser 2021-06-28 21:45:54 CEST 
Patch for CVE-2016-8605 synced from Cauldron to Mageia 7:
guile1.8-1.8.8-25.1.mga7
libguile17-1.8.8-25.1.mga7
libguile1.8-devel-1.8.8-25.1.mga7
guile1.8-runtime-1.8.8-25.1.mga7

from guile1.8-1.8.8-25.1.mga7.src.rpm

Status comment: Patch available in Cauldron => (none)
Assignee: pkg-bugs => qa-bugs

Comment 7 Thomas Andrews 2021-07-12 03:11:29 CEST 
Chose to use texmacs for testing, after reading Comment 5. Installed texmacs in a VirtualBox mga7 Plasma system, plus dependencies, 66 packages in all, including guile1.8-runtime and lib64guile17.

Downloaded an example texmacs document containing lots of mathematical symbols and formulae from http://www.texmacs.org/tmdoc/examples/examples.en.html, and displayed it in texmacs.

Updated the guile packages, with no issues. Displayed the texmacs document again, with no issues.

This one's good to go.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK

Comment 8 Aurelien Oudelet 2021-07-12 20:46:45 CEST 
type: security
subject: Updated guile1.8 packages fix security vulnerabilities
CVE:
 - CVE-2016-3605
 - CVE-2016-3606
src:
  7:
   core:
     - guile1.8-1.8.8-25.1.mga7
description: |
  The mkdir procedure of GNU Guile temporarily changed the process' umask to
  zero. During that time window, in a multithreaded application, other threads
  could end up creating files with insecure permissions. For example, mkdir
  without the optional mode argument would create directories as 0777. This is
  fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).
  
  The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute
  arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=27200
 - https://bugs.mageia.org/show_bug.cgi?id=19567

CC: (none) => ouaurelien
Keywords: (none) => advisory
CVE: (none) => CVE-2016-8605, CVE-2016-8606

Comment 9 David Walser 2021-07-12 21:21:31 CEST 
Nope, this one only fixes CVE-2016-3605.

Keywords: advisory => (none)

Comment 10 Aurelien Oudelet 2021-07-12 21:27:34 CEST 
Already sent by tmb, I'm sorry, I should do carefully read Comment 6. I was misled by the title which mentions CVE-2016-8606)... Sorry.

Revision: 12202
Author:   tmb
Date:     2021-07-12 21:14:11 +0200 (Mon, 12 Jul 2021)
Log Message:
-----------
MGASA-2021-0340: guile1.8-1.8.8-25.1.mga7

Modified Paths:
--------------
    27200.adv

Modified: 27200.adv
===================================================================
--- 27200.adv   2021-07-12 19:09:21 UTC (rev 12201)
+++ 27200.adv   2021-07-12 19:14:11 UTC (rev 12202)
@@ -19,3 +19,4 @@
 references:
  - https://bugs.mageia.org/show_bug.cgi?id=27200
  - https://bugs.mageia.org/show_bug.cgi?id=19567
+ID: MGASA-2021-0340
Comment 11 David Walser 2021-07-12 21:34:27 CEST 
You can still fix it in SVN and the wiki advisory will be fixed later.
Comment 12 Thomas Backlund 2021-07-12 21:37:34 CEST 
advisory already fixed
Thomas Backlund 2021-07-12 21:37:44 CEST

Keywords: (none) => advisory

Comment 13 Aurelien Oudelet 2021-07-12 21:38:58 CEST 
(In reply to David Walser from comment #11)
> You can still fix it in SVN and the wiki advisory will be fixed later.

"Magic TaaS" tmb already did this.
Many thanks to him.
Comment 14 Mageia Robot 2021-07-12 22:27:42 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0340.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.