oss-sec mailing list archives
CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification
From: ludo () gnu org (Ludovic Courtès)
Date: Tue, 11 Oct 2016 14:11:59 +0200
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process’ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, ‘mkdir’ without the optional ‘mode’ argument would create directories as 0777. This can be worked around by always passing the optional ‘mode’ argument to Guile’s ‘mkdir’ procedure. This will be fixed in Guile 2.0.13, to be released shortly. Upstream bug report: http://bugs.gnu.org/24659 Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614 Ludo’.
Current thread:
- CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification Ludovic Courtès (Oct 11)
- Re: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification cve-assign (Oct 11)