CVE-2016-8605

MEDIUM

GNU Guile <2.0.13 - Privilege Escalation

Title source: llm

Description

The mkdir procedure of GNU Guile temporarily changed the process' umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, mkdir without the optional mode argument would create directories as 0777. This is fixed in Guile 2.0.13. Prior versions are affected.

References (5)

[Mailing List, Patch, Third Party Advisory] http://www.openwall.com/lists/oss-security/2016/10/12/1

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/93510

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QTAGSDCTYXTABAA77BQJGNKOOBRV4DK/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNVE5N24FLWDYBQ3LAFMF6BFCWKDO7VM/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJP5S36GTXMDEBXWF6LKKV76DSLNQG44/

Scores

CVSS v3 5.3

EPSS 0.0009

EPSS Percentile 25.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Classification

CWE

CWE-275

Status published

Affected Products (5)

fedoraproject/fedora

fedoraproject/fedora

fedoraproject/fedora

gnu/guile < 2.0.12

n/a/n/a

Timeline

Published Jan 12, 2017

Tracked Since Feb 18, 2026