Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Oct 2016 14:11:59 +0200
From: (Ludovic Courtès)
CC: Andy Wingo <>, Mark H Weaver <>
Subject: CVE request: GNU Guile <= 2.0.12: Thread-unsafe umask modification

The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme
programming language, temporarily changed the process’ umask to zero.
During that time window, in a multithreaded application, other threads
could end up creating files with insecure permissions.  For example,
‘mkdir’ without the optional ‘mode’ argument would create directories
as 0777.

This can be worked around by always passing the optional ‘mode’ argument
to Guile’s ‘mkdir’ procedure.

This will be fixed in Guile 2.0.13, to be released shortly.

Upstream bug report:


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.