CVE-2016-8605

NameCVE-2016-8605
DescriptionThe mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-666-1
Debian Bugs840556, 841494

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
guile-2.0 (PTS)buster2.0.13+1-5.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
guile-1.8source(unstable)(unfixed)low841494
guile-2.0sourcewheezy2.0.5+1-3+deb7u1DLA-666-1
guile-2.0sourcejessie2.0.11+1-9+deb8u1
guile-2.0source(unstable)2.0.13+1-1low840556

Notes

[jessie] - guile-1.8 <no-dsa> (Minor issue)
[wheezy] - guile-1.8 <no-dsa> (Minor issue)
http://bugs.gnu.org/24659
Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614
Search for package or bug name: Reporting problems