In the process of fixing the build in cauldron, I noticed Fedora have a patch for their guile 1.8 package for this CVE. I've added it in cauldron, but I guess this should also be applied to Mageia 7.
Hi Martin, Thanks reporting this, Assigning this to all packagers as their is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugs
Already handled in Bug 19567.
(In reply to David Walser from comment #2) > Already handled in Bug 19567. No, that only fixed the guile package, not guile1.8.
Ouch! Can we drop guile1.8 in Cauldron finally???
Summary: guile 1.8 CVE-2016-8605 => guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606Source RPM: guile1.8-1.8.8-25.mga7 => guile1.8-1.8.8-25.mga7.src.rpm
(In reply to David Walser from comment #4) > Ouch! Can we drop guile1.8 in Cauldron finally??? I did look at that. There are only 3 packages still using it, drgeo, lilypond, and texmacs. drgeo is a very old version and is replaced upstream by a complete rewrite in an obscure programming language. Don't know how easy it would be to package. The lilypond website still states it requires guile 1.8, but both Fedora and Gentoo have switched to guile 2.2 with the latest 2.21 version of lilypond. However, we only have guile 2.0 in cauldron. texmacs only works with guile 1.8.
Status comment: (none) => Patch available in Cauldron
Patch for CVE-2016-8605 synced from Cauldron to Mageia 7: guile1.8-1.8.8-25.1.mga7 libguile17-1.8.8-25.1.mga7 libguile1.8-devel-1.8.8-25.1.mga7 guile1.8-runtime-1.8.8-25.1.mga7 from guile1.8-1.8.8-25.1.mga7.src.rpm
Status comment: Patch available in Cauldron => (none)Assignee: pkg-bugs => qa-bugs
Chose to use texmacs for testing, after reading Comment 5. Installed texmacs in a VirtualBox mga7 Plasma system, plus dependencies, 66 packages in all, including guile1.8-runtime and lib64guile17. Downloaded an example texmacs document containing lots of mathematical symbols and formulae from http://www.texmacs.org/tmdoc/examples/examples.en.html, and displayed it in texmacs. Updated the guile packages, with no issues. Displayed the texmacs document again, with no issues. This one's good to go.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA7-64-OK
type: security subject: Updated guile1.8 packages fix security vulnerabilities CVE: - CVE-2016-3605 - CVE-2016-3606 src: 7: core: - guile1.8-1.8.8-25.1.mga7 description: | The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605). The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606). references: - https://bugs.mageia.org/show_bug.cgi?id=27200 - https://bugs.mageia.org/show_bug.cgi?id=19567
CC: (none) => ouaurelienKeywords: (none) => advisoryCVE: (none) => CVE-2016-8605, CVE-2016-8606
Nope, this one only fixes CVE-2016-3605.
Keywords: advisory => (none)
Already sent by tmb, I'm sorry, I should do carefully read Comment 6. I was misled by the title which mentions CVE-2016-8606)... Sorry. Revision: 12202 Author: tmb Date: 2021-07-12 21:14:11 +0200 (Mon, 12 Jul 2021) Log Message: ----------- MGASA-2021-0340: guile1.8-1.8.8-25.1.mga7 Modified Paths: -------------- 27200.adv Modified: 27200.adv =================================================================== --- 27200.adv 2021-07-12 19:09:21 UTC (rev 12201) +++ 27200.adv 2021-07-12 19:14:11 UTC (rev 12202) @@ -19,3 +19,4 @@ references: - https://bugs.mageia.org/show_bug.cgi?id=27200 - https://bugs.mageia.org/show_bug.cgi?id=19567 +ID: MGASA-2021-0340
You can still fix it in SVN and the wiki advisory will be fixed later.
advisory already fixed
Keywords: (none) => advisory
(In reply to David Walser from comment #11) > You can still fix it in SVN and the wiki advisory will be fixed later. "Magic TaaS" tmb already did this. Many thanks to him.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0340.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED