[Secure-testing-team] Bug#841494: guile: Thread-unsafe umask modification
Matanya Moses
matanya at foss.co.il
Fri Oct 21 07:55:42 UTC 2016
Package: guile-1.8
Severity: normal
Tags: security
The mkdir procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777.
Upstream bug:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24659
Upstream patch:
http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614
References:
http://seclists.org/oss-sec/2016/q4/92
More information about the Secure-testing-team
mailing list