In the process of fixing the build in cauldron, I noticed Fedora have a patch for their guile 1.8 package for this CVE. I've added it in cauldron, but I guess this should also be applied to Mageia 7.
Thanks reporting this,
Assigning this to all packagers as their is no registered maintainer for this package.
Already handled in Bug 19567.
(In reply to David Walser from comment #2)
> Already handled in Bug 19567.
No, that only fixed the guile package, not guile1.8.
Ouch! Can we drop guile1.8 in Cauldron finally???
guile 1.8 CVE-2016-8605 =>
guile1.8 missing fixes for CVE-2016-8605 and CVE-2016-8606Source RPM:
(In reply to David Walser from comment #4)
> Ouch! Can we drop guile1.8 in Cauldron finally???
I did look at that. There are only 3 packages still using it, drgeo, lilypond, and texmacs.
drgeo is a very old version and is replaced upstream by a complete rewrite in an obscure programming language. Don't know how easy it would be to package.
The lilypond website still states it requires guile 1.8, but both Fedora and Gentoo have switched to guile 2.2 with the latest 2.21 version of lilypond. However, we only have guile 2.0 in cauldron.
texmacs only works with guile 1.8.
Patch available in Cauldron
Patch for CVE-2016-8605 synced from Cauldron to Mageia 7:
Patch available in Cauldron =>
Chose to use texmacs for testing, after reading Comment 5. Installed texmacs in a VirtualBox mga7 Plasma system, plus dependencies, 66 packages in all, including guile1.8-runtime and lib64guile17.
Downloaded an example texmacs document containing lots of mathematical symbols and formulae from http://www.texmacs.org/tmdoc/examples/examples.en.html, and displayed it in texmacs.
Updated the guile packages, with no issues. Displayed the texmacs document again, with no issues.
This one's good to go.
subject: Updated guile1.8 packages fix security vulnerabilities
The mkdir procedure of GNU Guile temporarily changed the process' umask to
zero. During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions. For example, mkdir
without the optional mode argument would create directories as 0777. This is
fixed in Guile 2.0.13. Prior versions are affected (CVE-2016-8605).
The REPL server (--listen) in GNU Guile 2.0.12 allows an attacker to execute
arbitrary code via an HTTP inter-protocol attack (CVE-2016-8606).
Nope, this one only fixes CVE-2016-3605.
Already sent by tmb, I'm sorry, I should do carefully read Comment 6. I was misled by the title which mentions CVE-2016-8606)... Sorry.
Date: 2021-07-12 21:14:11 +0200 (Mon, 12 Jul 2021)
--- 27200.adv 2021-07-12 19:09:21 UTC (rev 12201)
+++ 27200.adv 2021-07-12 19:14:11 UTC (rev 12202)
@@ -19,3 +19,4 @@
You can still fix it in SVN and the wiki advisory will be fixed later.
advisory already fixed
(In reply to David Walser from comment #11)
> You can still fix it in SVN and the wiki advisory will be fixed later.
"Magic TaaS" tmb already did this.
Many thanks to him.
An update for this issue has been pushed to the Mageia Updates repository.