From ${URL} : Jakub Wilk discovered that clang's scan-build utility insecurely handled temporary files. A local attacker could use this flaw to perform a symbolic link attack against users running the scan-build utility. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-2893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2893): The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directories with predictable names.
@maintainer(s), can 3.4.2-r100 be cleaned?
I'm going to take a closer look at this when I get home. If I recall correctly, this is still split, so we could drop clang while leaving llvm. However, I would feel better wiping both and there's one weak blocker for that.
Hmm, doesn't this apply to 3.5* as well? That's what I get from the description. In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll see if we can clean up the ebuild; alternatively, we can p.use.mask static-analyzer on those versions.
I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well.
(In reply to Michał Górny from comment #5) > I've cleaned up 3.4*. Please let me know if 3.5* needs any action as well. The patch is present in cfe-3.5.0.src.tar.xz, which I believe is what llvm[clang] ultimately pulls in. cfe-3.5.0.src/tools/scan-build/scan-build: # Make sure that the directory does not exist in order to avoid hijack. if (-e $NewDir) { DieDiag("The directory '$NewDir' already exists.\n"); } Per message #33: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 Please let me know if it is packaged differently than expected...
(In reply to Michał Górny from comment #4) > Hmm, doesn't this apply to 3.5* as well? That's what I get from the > description. > > In any case, 3.4 is already merged, so all the code is in llvm[clang]. I'll > see if we can clean up the ebuild; alternatively, we can p.use.mask > static-analyzer on those versions. The CVEs are not always the best. The vulnerability was discovered against an SVN snapshot so they had time to patch it before the 3.5.0 release.
Ah, ok then. I guess we're done here then.
(In reply to Michał Górny from comment #8) > Ah, ok then. I guess we're done here then. Michał, thanks for the assistance as always. GLSA Vote: No