Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jun 2014 23:00:21 +0200
From: Sylvestre Ledru <sylvestre@...ian.org>
To: cve-assign@...re.org, 744817@...s.debian.org, mmcallis@...hat.com
CC: oss-security@...ts.openwall.com
Subject: Re: Bug#744817: CVE request: insecure temporary file handling in
 clang's scan-build utility

On 16/06/2014 22:51, Sylvestre Ledru wrote:
> On 19/04/2014 05:29, cve-assign@...re.org wrote:
>>> Jakub Wilk discovered that clang's scan-build utility insecurely handled
>>> temporary files.
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817
>>> The GetHTMLRunDir subroutine ...
>>> 3) The function doesn't fail if the directory already exists, even if
>>> it's owned by another user.
>> Use CVE-2014-2893.
>>
> I think I fixed it upstream:
> http://llvm.org/viewvc/llvm-project?view=revision&revision=211051
> http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?r1=210971&r2=211051&pathrev=211051
>
Actual patch fixed:
http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?r1=210971&r2=211053&pathrev=211053
Sorry about the noise

Sylvestre



Download attachment "signature.asc" of type "application/pgp-signature" (881 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.