1004221 – (CVE-2016-8605) VUL-1: CVE-2016-8605: guile, guile1: Thread-unsafe umask modification

Bug 1004221 (CVE-2016-8605) - VUL-1: CVE-2016-8605: guile, guile1: Thread-unsafe umask modification

Summary: VUL-1: CVE-2016-8605: guile, guile1: Thread-unsafe umask modification

Status:	RESOLVED FIXED

Alias:	CVE-2016-8605

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2016-12-19
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/173480/
Whiteboard:	maint:released:sle10-sp3:63205 CVSSv2...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-10-12 09:09 UTC by Johannes Segitz
Modified:	2020-06-18 13:36 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-10-12 09:09:25 UTC

CVE-2016-8605

From: (Ludovic Courtès)
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.  For example,
‘mkdir’ without the optional ‘mode’ argument would create directories
as 0777.

This can be worked around by always passing the optional ‘mode’ argument
to Guile’s ‘mkdir’ procedure.

This will be fixed in Guile 2.0.13, to be released shortly.

Upstream bug report: http://bugs.gnu.org/24659
Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8605
http://seclists.org/oss-sec/2016/q4/101

Comment 2 Swamp Workflow Management 2016-10-12 22:00:25 UTC

bugbot adjusting priority

Comment 3 Petr Gajdos 2016-10-17 12:50:38 UTC

Submit request against devel project created: 435742.

Comment 4 Petr Gajdos 2016-10-17 13:42:21 UTC

guile1 devel project submit request: 435751

Comment 5 Bernhard Wiedemann 2016-10-17 14:00:59 UTC

This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435737 13.2 / guile

Comment 8 Dave Plater 2016-10-17 15:17:21 UTC

Created request sr#435778 to Leap:42.2

Comment 9 Petr Gajdos 2016-10-17 15:41:20 UTC

(In reply to Dave Plater from comment #8)
> Created request sr#435778 to Leap:42.2

Sigh, it was not so good idea to fork it from SLE12 code base just because spec cleaner call :/.

Leap:42.1 is needed too then.

Comment 10 Petr Gajdos 2016-10-17 15:51:56 UTC

(In reply to Petr Gajdos from comment #9)
> Sigh, it was not so good idea to fork it from SLE12 code base just because
> spec cleaner call :/.
> 
> Leap:42.1 is needed too then.

Done.

Comment 11 Bernhard Wiedemann 2016-10-17 16:00:36 UTC

This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435756 13.2 / guile1
https://build.opensuse.org/request/show/435793 42.1 / guile1

Comment 12 Dave Plater 2016-10-17 16:11:43 UTC

Worse, factory auto declined the request. I think you needed to use "added patch" instead of +. I once put a , in the changes reference to the patch instead of a . and it was declined.

Comment 13 Dave Plater 2016-10-17 16:14:19 UTC

You forgot the 1 in guile1

Comment 14 Petr Gajdos 2016-10-17 16:31:54 UTC

Thanks for correction. Fixed in 13.2, 42.1 and 12 submission.

Comment 15 Bernhard Wiedemann 2016-10-17 18:00:17 UTC

This is an autogenerated message for OBS integration:
This bug (1004221) was mentioned in
https://build.opensuse.org/request/show/435801 13.2 / guile1
https://build.opensuse.org/request/show/435802 42.1 / guile1

Comment 20 Petr Gajdos 2016-10-18 09:12:37 UTC

I believe all fixed.

Comment 23 Swamp Workflow Management 2016-10-26 12:15:56 UTC

openSUSE-SU-2016:2643-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE 13.2 (src):    guile1-1.8.8-16.3.1

Comment 24 Swamp Workflow Management 2016-10-26 12:20:20 UTC

openSUSE-SU-2016:2645-1: An update that fixes two vulnerabilities is now available.

Category: security (low)
Bug References: 1004221,1004226
CVE References: CVE-2016-8605,CVE-2016-8606
Sources used:
openSUSE 13.2 (src):    guile-2.0.11-3.3.1

Comment 25 Swamp Workflow Management 2016-10-26 12:21:01 UTC

openSUSE-SU-2016:2647-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE Leap 42.1 (src):    guile1-1.8.8-22.1

Comment 26 Swamp Workflow Management 2016-11-21 09:17:54 UTC

An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2016-12-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63204

Comment 27 Swamp Workflow Management 2017-02-06 14:11:34 UTC

SUSE-SU-2017:0394-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    guile-1.8.5-24.1
SUSE Linux Enterprise Server 11-SP4 (src):    guile-1.8.5-24.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    guile-1.8.5-24.1

Comment 28 Swamp Workflow Management 2017-02-06 14:13:14 UTC

SUSE-SU-2017:0398-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Server 12-SP1 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    guile-2.0.9-8.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    guile-2.0.9-8.3

Comment 29 Swamp Workflow Management 2017-02-17 03:15:04 UTC

openSUSE-SU-2017:0482-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
openSUSE Leap 42.2 (src):    guile-2.0.9-8.1
openSUSE Leap 42.1 (src):    guile-2.0.9-7.1

Comment 30 Johannes Segitz 2017-07-11 15:44:22 UTC

fixed

Comment 31 Swamp Workflow Management 2020-06-18 13:36:26 UTC

SUSE-SU-2020:1659-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1004221
CVE References: CVE-2016-8605
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    guile1-1.8.8-16.4.39
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    guile1-1.8.8-16.4.39

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.