[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GNU Guile 2.0.13 released [security fixes]
GNU Guile 2.0.13 released [security fixes]
Wed, 12 Oct 2016 14:06:30 +0200
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
We are pleased to announce GNU Guile release 2.0.13, the next maintenance
release for the 2.0.x stable series, containing important security fixes.
This release contains 44 commits by 11 people over 4 months.
Guile is an implementation of the Scheme programming language. It is
designed to help programmers create flexible applications that can be
extended by users or other programmers with plug-ins, modules, or
scripts. With Guile you can create applications and games for the
desktop, the Web, the command-line, and more.
See https://gnu.org/software/guile/ for more information.
In parallel the Guile development team has been hard at work on the next
stable series, which we hope will see a stable release within the next
couple months. Inquisitive users should see the recent 2.1.4 release
a preview of our future stable series.
Here are the compressed sources:
Here are the GPG detached signatures[*]:
Use a mirror for higher download bandwidth:
Here are the MD5 and SHA1 checksums:
[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact. First, be sure to download both the .sig file
and the corresponding tarball. Then, run a command like this:
gpg --verify guile-2.0.13.tar.gz.sig
If that command fails because you don't have the required public key,
then run this command to import it:
gpg --keyserver pgp.mit.edu --recv-keys
and rerun the 'gpg --verify' command.
This release was bootstrapped with the following tools:
Changes in 2.0.13 (since 2.0.12):
* Security fixes
** CVE-2016-8606: REPL server now protects against HTTP inter-protocol
Guile 2.x provides a "REPL server" started by the '--listen'
command-line option or equivalent API (see "REPL Servers" in the
The REPL server is vulnerable to the HTTP inter-protocol attack as
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
HTML form protocol attack described at
<https://www.jochentopf.com/hfpa/hfpa.pdf>. A "DNS rebinding attack"
can be combined with this attack and allow an attacker to send arbitrary
Guile code to the REPL server through web pages accessed by the
developer, even though the REPL server is listening to a loopback device
("localhost"). This was demonstrated in an article entitled "How to
steal any developer's local database" available at
The REPL server in Guile 2.0.13 now detects attempts to exploit this
vulnerability. It immediately closes the connection when it receives a
line that looks like an HTTP request.
Nevertheless, we recommend binding the REPL server to a Unix-domain
socket, for instance by running:
** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2)
When the second argument to the 'mkdir' procedure was omitted, it would
call umask(0) followed by umask(previous_umask) and apply the umask to
This was unnecessary and a security issue for multi-threaded
applications: during a small window the process' umask was set to zero,
so other threads calling mkdir(2) or open(2) could end up creating
world-readable/writable/executable directories or files.
* New interfaces
** mkstemp! takes optional "mode" argument
See "File System" in the manual, for more.
** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions
* Bug fixes
** Fix optimizer bug when compiling fixpoint operator
** Fix build error on MinGW
** Update 'uname' implementation on MinGW
** 'port-encoding' and 'set-port-encoding!' ensure they are passed an
** (system base target) now recognizes Alpha as a cross-compilation target
You can follow Guile development in the Git repository and on the Guile
mailing lists. Note that Guile builds from the 'master' branch of Git
have version number 2.1.x; the stable release series can be had from
Guile versions with an odd middle number, e.g., 2.1.*, are unstable
development versions. Even middle numbers indicate stable versions.
This has been the case since the 1.3.* series.
Please report bugs to address@hidden We also welcome reports of
successful builds, which can be sent to the same email address.
Happy hacking with Guile!
Ludovic, on behalf of the Guile team.
Description: PGP signature
|[Prev in Thread]
||[Next in Thread]|
- GNU Guile 2.0.13 released [security fixes],
Ludovic Courtès <=