Summary: | <sys-devel/clang-3.5.0-r100: insecure temporary file handling in clang's scan-build utility (CVE-2014-2893) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | clang+obsolete, mgorny, wizardedit |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1088105 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 585102 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-04-16 07:48:14 UTC
CVE-2014-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2893): The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names. @maintainer(s), can 3.4.2-r100 be cleaned? I'm going to take a closer look at this when I get home. If I recall correctly, this is still split, so we could drop clang while leaving llvm. However, I would feel better wiping both and there's one weak blocker for that. Hmm, doesn't this apply to 3.5* as well? That's what I get from the description. In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll see if we can clean up the ebuild; alternatively, we can p.use.mask static-analyzer on those versions. I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well. (In reply to Michał Górny from comment #5) > I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well. The patch is present in cfe-3.5.0.src.tar.xz, which I believe is what llvm[clang] ultimately pulls in. cfe-3.5.0.src/tools/scan-build/scan-build: # Make sure that the directory does not exist in order to avoid hijack. if (-e $NewDir) { DieDiag("The directory '$NewDir' already exists.\n"); } Per message #33: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 Please let me know if it is packaged differently than expected... (In reply to Michał Górny from comment #4) > Hmm, doesn't this apply to 3.5* as well? That's what I get from the > description. > > In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll > see if we can clean up the ebuild; alternatively, we can p.use.mask > static-analyzer on those versions. The CVEs are not always the best. The vulnerability was discovered against an SVN snapshot so they had time to patch it before the 3.5.0 release. Ah, ok then. I guess we're done here then. (In reply to Michał Górny from comment #8) > Ah, ok then. I guess we're done here then. Michał, thanks for the assistance as always. GLSA Vote: No |