Bug 507792 (CVE-2014-2893)

Summary:	<sys-devel/clang-3.5.0-r100: insecure temporary file handling in clang's scan-build utility (CVE-2014-2893)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	clang+obsolete, mgorny, wizardedit
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.redhat.com/show_bug.cgi?id=1088105
Whiteboard:	B4 [noglsa cve]
Package list:		Runtime testing required:	---
Bug Depends on:	585102
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2014-04-16 07:48:14 UTC

From ${URL} :

Jakub Wilk discovered that clang's scan-build utility insecurely handled temporary files. A local attacker 
could use this flaw to perform a symbolic link attack against users running the scan-build utility.

Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-04-28 19:23:55 UTC

CVE-2014-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2893):
  The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and
  earlier allows local users to obtain sensitive information or overwrite
  arbitrary files via a symlink attack on temporary directories with
  predictable names.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-07-05 09:42:19 UTC

@maintainer(s), can 3.4.2-r100 be cleaned?

Comment 3 Michał Górny archtester

2016-07-05 15:04:10 UTC

I'm going to take a closer look at this when I get home. If I recall correctly, this is still split, so we could drop clang while leaving llvm. However, I would feel better wiping both and there's one weak blocker for that.

Comment 4 Michał Górny archtester

2016-07-05 15:23:04 UTC

Hmm, doesn't this apply to 3.5* as well? That's what I get from the description.

In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll see if we can clean up the ebuild; alternatively, we can p.use.mask static-analyzer on those versions.

Comment 5 Michał Górny archtester

2016-07-05 19:05:56 UTC

I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well.

Comment 6 Aaron Bauman (RETIRED) gentoo-dev

2016-07-05 22:50:26 UTC

(In reply to Michał Górny from comment #5)
> I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well.

The patch is present in cfe-3.5.0.src.tar.xz, which I believe is what llvm[clang] ultimately pulls in.  

cfe-3.5.0.src/tools/scan-build/scan-build:

# Make sure that the directory does not exist in order to avoid hijack.
  if (-e $NewDir) {
      DieDiag("The directory '$NewDir' already exists.\n");
  }


Per message #33:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817


Please let me know if it is packaged differently than expected...

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2016-07-05 23:23:47 UTC

(In reply to Michał Górny from comment #4)
> Hmm, doesn't this apply to 3.5* as well? That's what I get from the
> description.
> 
> In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll
> see if we can clean up the ebuild; alternatively, we can p.use.mask
> static-analyzer on those versions.

The CVEs are not always the best.  The vulnerability was discovered against an SVN snapshot so they had time to patch it before the 3.5.0 release.

Comment 8 Michał Górny archtester

2016-07-06 02:25:37 UTC

Ah, ok then. I guess we're done here then.

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2016-07-06 02:44:53 UTC

(In reply to Michał Górny from comment #8)
> Ah, ok then. I guess we're done here then.

Michał, thanks for the assistance as always.

GLSA Vote: No