Vulnerability Description
The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | Fedora | 23 |
| Gnu | Guile | <= 2.0.12 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/10/12/1Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/93510Third Party AdvisoryVDB Entry
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- http://www.openwall.com/lists/oss-security/2016/10/12/1Mailing ListPatchThird Party Advisory
- http://www.securityfocus.com/bid/93510Third Party AdvisoryVDB Entry
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2016-8605?
CVE-2016-8605 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permis...
How severe is CVE-2016-8605?
CVE-2016-8605 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8605?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Gnu Guile.