Main Vulnerability Database SB2016110830

SB2016110830 - Input validation error in guile (Alpine package)

Published: November 8, 2016

Security Bulletin ID SB2016110830

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2016-8605)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=02f2fa69b0c30c06ac7064a0e08b78403c92e8e2
https://git.alpinelinux.org/aports/commit/?id=6c9dd3be0e2be5db55ba41079e715b8c79b86678