Debian Security Advisory
DLA-666-1 guile-2.0 -- LTS security update
- Date Reported:
- 18 Oct 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 840555, Bug 840556.
In Mitre's CVE dictionary: CVE-2016-8605, CVE-2016-8606.
- More information:
Several vulnerabilities were discovered in GNU Guile, an implementation of the Scheme programming language. The Common Vulnerabilities and Exposures project identifies the following issues.
The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions.
GNU Guile provides a
REPL serverwhich is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the '--listen' command-line option or equivalent API.
It was reported that the REPL server is vulnerable to the HTTP inter-protocol attack.
This constitutes a remote code execution vulnerability for developers running a REPL server that listens on a loopback device or private network. Applications that do not run a REPL server, as is usually the case, are unaffected.
For Debian 7
Wheezy, these problems have been fixed in version 2.0.5+1-3+deb7u1.
We recommend that you upgrade your guile-2.0 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS