Date: Tue, 11 Oct 2016 14:11:59 +0200 From: ludo@....org (Ludovic Courtès) To: oss-security@...ts.openwall.com CC: Andy Wingo <wingo@...ox.com>, Mark H Weaver <mhw@...ris.org> Subject: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process’ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, ‘mkdir’ without the optional ‘mode’ argument would create directories as 0777. This can be worked around by always passing the optional ‘mode’ argument to Guile’s ‘mkdir’ procedure. This will be fixed in Guile 2.0.13, to be released shortly. Upstream bug report: http://bugs.gnu.org/24659 Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614 Ludo’.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.