From ${URL} : The ‘mkdir’ procedure of GNU Guile, an implementation of the Scheme programming language, temporarily changed the process’ umask to zero. During that time window, in a multithreaded application, other threads could end up creating files with insecure permissions. For example, ‘mkdir’ without the optional ‘mode’ argument would create directories as 0777. This can be worked around by always passing the optional ‘mode’ argument to Guile’s ‘mkdir’ procedure. This will be fixed in Guile 2.0.13, to be released shortly. Upstream bug report: http://bugs.gnu.org/24659 Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@maintainers: also needs separate verification on whether it affects the current stable branch (1.8.x), if not rating should be changed to ~3
This likely also affects 1.8 branch
committer Amy Winston <amynka@gentoo.org> 2016-11-05 12:55:59 (GMT) commit f4acb8b7ed70914fc98bbb7532b44b7087b85048 dev-scheme/guile: version bump 2.0.13 Bugs: 597216,596864,596876 committer Amy Winston <amynka@gentoo.org> 2016-11-06 19:13:23 (GMT) commit 857729aac64d4c4a007fefdb66d2d461adac7110 dev-scheme/guile: remove old 2.0.12 For the stable 1.8.8 version revbumped to r3: committer Amy Winston <amynka@gentoo.org> 2016-11-06 19:13:23 (GMT) commit 5fda0962579cd0d6ec0e7ebf22bec1b4685be0bd dev-scheme/guile: add unmask patch bug #596864 Version guile-1.8.8-r3 should be ready for stabilisation. Desired arches: alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86
(In reply to Amy Winston from comment #3) > committer Amy Winston <amynka@gentoo.org> 2016-11-05 12:55:59 (GMT) > commit f4acb8b7ed70914fc98bbb7532b44b7087b85048 > > dev-scheme/guile: version bump 2.0.13 > Bugs: 597216,596864,596876 > > committer Amy Winston <amynka@gentoo.org> 2016-11-06 19:13:23 (GMT) > commit 857729aac64d4c4a007fefdb66d2d461adac7110 > > dev-scheme/guile: remove old 2.0.12 > > > For the stable 1.8.8 version revbumped to r3: > > committer Amy Winston <amynka@gentoo.org> 2016-11-06 19:13:23 (GMT) > commit 5fda0962579cd0d6ec0e7ebf22bec1b4685be0bd > > dev-scheme/guile: add unmask patch bug #596864 > > Version guile-1.8.8-r3 should be ready for stabilisation. > Desired arches: alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc > x86 Stable arches CC'ed per security project guidelines. If you require the additional unstable arches to stabilize the package then please open a non-security bug requesting it. GLSA Vote: No
amd64 stable
Stable on alpha.
Stable for HPPA PPC64.
x86 stable
arm stable
sparc stable
ia64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
commit c8a92cf2629cb44be78fcaea749d662795164b8e Author: Amy Winston <amynka@gentoo.org> Date: Tue Dec 20 11:08:46 2016 +0100 dev-scheme/guile: clean up sec bug #596864
GLSA vote: no.