Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2016 14:11:59 +0200
From: (Ludovic Courtès)
CC: Andy Wingo <>, Mark H Weaver <>
Subject: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification

The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.  For example,
‘mkdir’ without the optional ‘mode’ argument would create directories
as 0777.

This can be worked around by always passing the optional ‘mode’ argument
to Guile’s ‘mkdir’ procedure.

This will be fixed in Guile 2.0.13, to be released shortly.

Upstream bug report:


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ