CVE-2016-8605
First published: Thu Jan 12 2017(Updated: )
The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Fedora | =23 | |
| Fedora | =24 | |
| Fedora | =25 | |
| GNU Guile | <=2.0.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/10/12/1
- http://www.securityfocus.com/bid/93510
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QTAGSDCTYXTABAA77BQJGNKOOBRV4DK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNVE5N24FLWDYBQ3LAFMF6BFCWKDO7VM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJP5S36GTXMDEBXWF6LKKV76DSLNQG44/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QTAGSDCTYXTABAA77BQJGNKOOBRV4DK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJP5S36GTXMDEBXWF6LKKV76DSLNQG44/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNVE5N24FLWDYBQ3LAFMF6BFCWKDO7VM/
Frequently Asked Questions
What is the severity of CVE-2016-8605?
CVE-2016-8605 is considered a medium severity vulnerability due to the potential for creating files with insecure permissions.
How do I fix CVE-2016-8605?
To mitigate CVE-2016-8605, update GNU Guile to version 2.0.12 or later, or ensure that umask is set correctly in your application.
What type of systems are affected by CVE-2016-8605?
CVE-2016-8605 affects GNU Guile versions up to 2.0.12 on Fedora operating systems versions 23, 24, and 25.
What kind of applications are vulnerable due to CVE-2016-8605?
Multithreaded applications using the mkdir procedure from GNU Guile can be vulnerable to CVE-2016-8605.
Can CVE-2016-8605 allow unauthorized access to files?
Yes, CVE-2016-8605 can potentially allow unauthorized access to files if they are created with overly permissive permissions.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/fedoraproject
- canonical/fedora
- version/fedora/23
- version/fedora/24
- version/fedora/25
- vendor/gnu
- canonical/gnu guile
- version/gnu guile/2.0.12