Bug 1004221 - (CVE-2016-8605) VUL-1: CVE-2016-8605: guile, guile1: Thread-unsafe umask modification
(CVE-2016-8605)
VUL-1: CVE-2016-8605: guile, guile1: Thread-unsafe umask modification
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/173480/
maint:released:sle10-sp3:63205 CVSSv2...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-12 09:09 UTC by Johannes Segitz
Modified: 2020-06-18 13:36 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-10-12 09:09:25 UTC
CVE-2016-8605

From: (Ludovic Courtès)
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.  For example,
‘mkdir’ without the optional ‘mode’ argument would create directories
as 0777.

This can be worked around by always passing the optional ‘mode’ argument
to Guile’s ‘mkdir’ procedure.

This will be fixed in Guile 2.0.13, to be released shortly.

Upstream bug report: http://bugs.gnu.org/24659
Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8605
http://seclists.org/oss-sec/2016/q4/101
Comment 2 Swamp Workflow Management 2016-10-12 22:00:25 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-10-17 12:50:38 UTC
Submit request against devel project created: 435742.
Comment 4 Petr Gajdos 2016-10-17 13:42:21 UTC
guile1 devel project submit request: 435751
Comment 5 Bernhard Wiedemann 2016-10-17 14:00:59 UTC
This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435737 13.2 / guile
Comment 8 Dave Plater 2016-10-17 15:17:21 UTC
Created request sr#435778 to Leap:42.2
Comment 9 Petr Gajdos 2016-10-17 15:41:20 UTC
(In reply to Dave Plater from comment #8)
> Created request sr#435778 to Leap:42.2

Sigh, it was not so good idea to fork it from SLE12 code base just because spec cleaner call :/.

Leap:42.1 is needed too then.
Comment 10 Petr Gajdos 2016-10-17 15:51:56 UTC
(In reply to Petr Gajdos from comment #9)
> Sigh, it was not so good idea to fork it from SLE12 code base just because
> spec cleaner call :/.
> 
> Leap:42.1 is needed too then.

Done.
Comment 11 Bernhard Wiedemann 2016-10-17 16:00:36 UTC
This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435756 13.2 / guile1
https://build.opensuse.org/request/show/435793 42.1 / guile1
Comment 12 Dave Plater 2016-10-17 16:11:43 UTC
Worse, factory auto declined the request. I think you needed to use "added patch" instead of +. I once put a , in the changes reference to the patch instead of a . and it was declined.
Comment 13 Dave Plater 2016-10-17 16:14:19 UTC
You forgot the 1 in guile1
Comment 14 Petr Gajdos 2016-10-17 16:31:54 UTC
Thanks for correction. Fixed in 13.2, 42.1 and 12 submission.
Comment 15 Bernhard Wiedemann 2016-10-17 18:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435801 13.2 / guile1
https://build.opensuse.org/request/show/435802 42.1 / guile1
Comment 20 Petr Gajdos 2016-10-18 09:12:37 UTC
I believe all fixed.
Comment 23 Swamp Workflow Management 2016-10-26 12:15:56 UTC
openSUSE-SU-2016:2643-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE 13.2 (src):    guile1-1.8.8-16.3.1
Comment 24 Swamp Workflow Management 2016-10-26 12:20:20 UTC
openSUSE-SU-2016:2645-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1004221,1004226
CVE References: CVE-2016-8605,CVE-2016-8606
Sources used:
openSUSE 13.2 (src):    guile-2.0.11-3.3.1
Comment 25 Swamp Workflow Management 2016-10-26 12:21:01 UTC
openSUSE-SU-2016:2647-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE Leap 42.1 (src):    guile1-1.8.8-22.1
Comment 26 Swamp Workflow Management 2016-11-21 09:17:54 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2016-12-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63204
Comment 27 Swamp Workflow Management 2017-02-06 14:11:34 UTC
SUSE-SU-2017:0394-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    guile-1.8.5-24.1
SUSE Linux Enterprise Server 11-SP4 (src):    guile-1.8.5-24.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    guile-1.8.5-24.1
Comment 28 Swamp Workflow Management 2017-02-06 14:13:14 UTC
SUSE-SU-2017:0398-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server 12-SP1 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    guile-2.0.9-8.3
Comment 29 Swamp Workflow Management 2017-02-17 03:15:04 UTC
openSUSE-SU-2017:0482-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE Leap 42.2 (src):    guile-2.0.9-8.1
openSUSE Leap 42.1 (src):    guile-2.0.9-7.1
Comment 30 Johannes Segitz 2017-07-11 15:44:22 UTC
fixed
Comment 31 Swamp Workflow Management 2020-06-18 13:36:26 UTC
SUSE-SU-2020:1659-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    guile1-1.8.8-16.4.39

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.