Description
The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions (CVE-2016-8605).
GNU Guile, an implementation of the Scheme language, provides a “REPL
server” which is a command prompt that developers can connect to for
live coding and debugging purposes. The REPL server is vulnerable to the
HTTP inter-protocol attack. This constitutes a remote code execution
vulnerability for developers running a REPL server that listens on a
loopback device or private network (CVE-2016-8606).
The guile package has been updated to version 2.0.13, fixing these
issues and other bugs. See the upstream release announcements for
details.