Bug#744817: CVE request: insecure temporary file handling in clang's scan-build utility

Sylvestre Ledru sylvestre at debian.org
Sun Apr 20 09:17:43 UTC 2014


On 19/04/2014 05:29, cve-assign at mitre.org wrote:
> > Jakub Wilk discovered that clang's scan-build utility insecurely handled
> > temporary files.
>
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817
>
> > The GetHTMLRunDir subroutine ...
>
> > 3) The function doesn't fail if the directory already exists, even if
> > it's owned by another user.
>
> Use CVE-2014-2893.
I am going to have a look next week. It should be trivial to fix.

Sylvestre


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-llvm-team/attachments/20140420/80b431f1/attachment.sig>


More information about the Pkg-llvm-team mailing list