Guile 2.0.13 fixes a couple of security issues:


CVE-2016-8606 can be serious (remote code execution), but developers
using Guile can readily work around it; see the description at:


In particular, Geiser already uses Unix-domain sockets to talk to Guile,
which means we’re safe here.

CVE-2016-8605 is about the possibility of creating files with insecure
permissions in multithreaded programs.  Apart from our own grafting code
(the infamous <http://bugs.gnu.org/22954>), this is probably a rare

So, what do we do?

Given that core-updates with Guile 2.0.12 is on its way and that master
is still at 2.0.11, I’d suggest to leave master as-is and focus on

There we have 2 options:

  1. Changing ‘guile-2.0/fixed’ to 2.0.13, but 1,310 packages depend on it.

  2. Grafting 2.0.13, which is doable since 2.0.12 and .13 have the same ABI.

I have a preference for #2.



Reply via email to