Security update for guile SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0398-1 Final 1 1 2017-02-06T10:53:21Z current 2017-02-06T10:53:21Z 2017-02-06T10:53:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for guile This update for guile fixes the following issues: - CVE-2016-8605: Fixed thread-unsafe umask modification (bsc#1004221). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2017-196,SUSE-SLE-DESKTOP-12-SP2-2017-196,SUSE-SLE-RPI-12-SP2-2017-196,SUSE-SLE-SDK-12-SP1-2017-196,SUSE-SLE-SDK-12-SP2-2017-196,SUSE-SLE-SERVER-12-SP1-2017-196,SUSE-SLE-SERVER-12-SP2-2017-196 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170398-1/ Link for SUSE-SU-2017:0398-1 https://lists.suse.com/pipermail/sle-security-updates/2017-February/002624.html E-Mail link for SUSE-SU-2017:0398-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1004221 SUSE Bug 1004221 https://www.suse.com/security/cve/CVE-2016-8605/ SUSE CVE CVE-2016-8605 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SP2 guile-2.0.9-8.3 guile-modules-2_0-2.0.9-8.3 libguile-2_0-22-2.0.9-8.3 guile-devel-2.0.9-8.3 libguilereadline-v-18-18-2.0.9-8.3 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP1 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP1 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP1 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP2 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP2 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Desktop 12 SP2 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP1 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP1 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP1 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP2 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP2 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Server 12 SP2 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 guile-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 guile-modules-2_0-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 libguile-2_0-22-2.0.9-8.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 guile-devel-2.0.9-8.3 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 libguilereadline-v-18-18-2.0.9-8.3 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 guile-devel-2.0.9-8.3 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 libguilereadline-v-18-18-2.0.9-8.3 as a component of SUSE Linux Enterprise Software Development Kit 12 SP2 The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected. CVE-2016-8605 SUSE Linux Enterprise Desktop 12 SP1:guile-2.0.9-8.3 SUSE Linux Enterprise Desktop 12 SP1:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Desktop 12 SP1:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Desktop 12 SP2:guile-2.0.9-8.3 SUSE Linux Enterprise Desktop 12 SP2:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Desktop 12 SP2:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP1:guile-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP1:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP1:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP2:guile-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP2:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Server 12 SP2:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:guile-2.0.9-8.3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:guile-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP2:guile-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP2:guile-modules-2_0-2.0.9-8.3 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libguile-2_0-22-2.0.9-8.3 SUSE Linux Enterprise Software Development Kit 12 SP1:guile-devel-2.0.9-8.3 SUSE Linux Enterprise Software Development Kit 12 SP1:libguilereadline-v-18-18-2.0.9-8.3 SUSE Linux Enterprise Software Development Kit 12 SP2:guile-devel-2.0.9-8.3 SUSE Linux Enterprise Software Development Kit 12 SP2:libguilereadline-v-18-18-2.0.9-8.3 low 3.2 AV:L/AC:L/Au:S/C:P/I:P/A:N 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170398-1/ https://www.suse.com/security/cve/CVE-2016-8605.html CVE-2016-8605 https://bugzilla.suse.com/1004221 SUSE Bug 1004221