Date: Sun, 20 Apr 2014 11:17:43 +0200 From: Sylvestre Ledru <sylvestre@...ian.org> To: cve-assign@...re.org, 744817@...s.debian.org, mmcallis@...hat.com CC: oss-security@...ts.openwall.com Subject: Re: Bug#744817: CVE request: insecure temporary file handling in clang's scan-build utility On 19/04/2014 05:29, cve-assign@...re.org wrote: > > Jakub Wilk discovered that clang's scan-build utility insecurely handled > > temporary files. > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 > > > The GetHTMLRunDir subroutine ... > > > 3) The function doesn't fail if the directory already exists, even if > > it's owned by another user. > > Use CVE-2014-2893. I am going to have a look next week. It should be trivial to fix. Sylvestre Download attachment "signature.asc" of type "application/pgp-signature" (881 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ