info-gnu
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Guile 2.0.13 released [security fixes]


From: Ludovic Courtès
Subject: GNU Guile 2.0.13 released [security fixes]
Date: Wed, 12 Oct 2016 14:06:30 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

We are pleased to announce GNU Guile release 2.0.13, the next maintenance
release for the 2.0.x stable series, containing important security fixes.
This release contains 44 commits by 11 people over 4 months.

Guile is an implementation of the Scheme programming language.  It is
designed to help programmers create flexible applications that can be
extended by users or other programmers with plug-ins, modules, or
scripts.  With Guile you can create applications and games for the
desktop, the Web, the command-line, and more.

See https://gnu.org/software/guile/ for more information.

In parallel the Guile development team has been hard at work on the next
stable series, which we hope will see a stable release within the next
couple months.  Inquisitive users should see the recent 2.1.4 release
notes at
https://lists.gnu.org/archive/html/guile-user/2016-09/msg00042.html for
a preview of our future stable series.

========================================================================

Here are the compressed sources:
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.gz   (7.5MB)
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.lz   (4.2MB)
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.xz   (4.6MB)

Here are the GPG detached signatures[*]:
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.gz.sig
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.lz.sig
  ftp://ftp.gnu.org/gnu/guile/guile-2.0.13.tar.xz.sig

Use a mirror for higher download bandwidth:
  http://www.gnu.org/order/ftp.html

Here are the MD5 and SHA1 checksums:

dac267e76330176d48583258aeaa7016  guile-2.0.13.tar.gz
b71b9e9b7356b139f3e73fef8f15ac7c  guile-2.0.13.tar.lz
d50bbb19672b72aa1e1c96e8f024bf00  guile-2.0.13.tar.xz
efd3f9769d04b51803ea4ebcbfd7b6add1d419e6  guile-2.0.13.tar.gz
829bf94d8cca95d3a6dc0a898567da06c623a036  guile-2.0.13.tar.lz
627f7b5004f01b7e2c074e03fff3eda235c0d9ab  guile-2.0.13.tar.xz

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify guile-2.0.13.tar.gz.sig

If that command fails because you don't have the required public key,
then run this command to import it:

  gpg --keyserver pgp.mit.edu --recv-keys 
3CE464558A84FDC69DB40CFB090B11993D9AEBB5

and rerun the 'gpg --verify' command.

This release was bootstrapped with the following tools:
  Autoconf 2.69
  Automake 1.15
  Libtool 2.4.6
  Makeinfo 6.3
  Gnulib v0.1-800-g68b6ade

========================================================================

Changes in 2.0.13 (since 2.0.12):

* Security fixes

** CVE-2016-8606: REPL server now protects against HTTP inter-protocol
   attacks

Guile 2.x provides a "REPL server" started by the '--listen'
command-line option or equivalent API (see "REPL Servers" in the
manual).

The REPL server is vulnerable to the HTTP inter-protocol attack as
described at
<https://en.wikipedia.org/wiki/Inter-protocol_exploitation>, notably the
HTML form protocol attack described at
<https://www.jochentopf.com/hfpa/hfpa.pdf>.  A "DNS rebinding attack"
can be combined with this attack and allow an attacker to send arbitrary
Guile code to the REPL server through web pages accessed by the
developer, even though the REPL server is listening to a loopback device
("localhost").  This was demonstrated in an article entitled "How to
steal any developer's local database" available at
<http://bouk.co/blog/hacking-developers/>.

The REPL server in Guile 2.0.13 now detects attempts to exploit this
vulnerability.  It immediately closes the connection when it receives a
line that looks like an HTTP request.

Nevertheless, we recommend binding the REPL server to a Unix-domain
socket, for instance by running:

  guile --listen=/tmp/guile-socket

** CVE-2016-8605: 'mkdir' procedure no longer calls umask(2)
   (<http://bugs.gnu.org/24659>)

When the second argument to the 'mkdir' procedure was omitted, it would
call umask(0) followed by umask(previous_umask) and apply the umask to
mode #o777.

This was unnecessary and a security issue for multi-threaded
applications: during a small window the process' umask was set to zero,
so other threads calling mkdir(2) or open(2) could end up creating
world-readable/writable/executable directories or files.

* New interfaces

** mkstemp! takes optional "mode" argument

See "File System" in the manual, for more.

** New 'scm_to_uintptr_t' and 'scm_from_uintptr_t' C functions

* Bug fixes

** Fix optimizer bug when compiling fixpoint operator
** Fix build error on MinGW
** Update 'uname' implementation on MinGW
** 'port-encoding' and 'set-port-encoding!' ensure they are passed an
   open port
** (system base target) now recognizes Alpha as a cross-compilation target

========================================================================

You can follow Guile development in the Git repository and on the Guile
mailing lists.  Note that Guile builds from the 'master' branch of Git
have version number 2.1.x; the stable release series can be had from
'stable-2.0'.

Guile versions with an odd middle number, e.g., 2.1.*, are unstable
development versions.  Even middle numbers indicate stable versions.
This has been the case since the 1.3.* series.

Please report bugs to address@hidden  We also welcome reports of
successful builds, which can be sent to the same email address.

Happy hacking with Guile!

Ludovic, on behalf of the Guile team.

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]