oss-sec mailing list archives

CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification

From: ludo () gnu org (Ludovic Courtès)
Date: Tue, 11 Oct 2016 14:11:59 +0200

The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.  For example,
‘mkdir’ without the optional ‘mode’ argument would create directories
as 0777.

This can be worked around by always passing the optional ‘mode’ argument
to Guile’s ‘mkdir’ procedure.

This will be fixed in Guile 2.0.13, to be released shortly.

Upstream bug report: http://bugs.gnu.org/24659
Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614

Ludo’.

Current thread:

CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification Ludovic Courtès (Oct 11)
- Re: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification cve-assign (Oct 11)