Your message dated Mon, 24 Apr 2023 10:59:19 +0200
with message-id <[email protected]>
and subject line guile-1.8 has been superdeded by guile-2.0
has caused the Debian Bug report #841494,
regarding guile-1.8: CVE-2016-8605: Thread-unsafe umask modification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
841494: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841494
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: guile-1.8
Severity: normal
Tags: security
The mkdir procedure of GNU Guile, an implementation of the Scheme programming
language, temporarily changed the process' umask to zero. During that time
window, in a multithreaded application, other threads could end up creating
files with insecure permissions. For example, mkdir without the optional mode
argument would create directories as 0777.
Upstream bug:
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=24659
Upstream patch:
http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614
References:
http://seclists.org/oss-sec/2016/q4/92
--- End Message ---
--- Begin Message ---
Version: 1.8.8+1-10+rm
guile-1.8 was last released with Debian 8 (jessie)
in April 2015 and has been removed from the Debian archive afterwards.
See https://bugs.debian.org/760986 for details on the removal.
Regular security support for jessie ended in June 2018 and LTS support
ended in June 2020. I'm closing the remaining bug reports now.
Andreas
--- End Message ---
