|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2014-2893: llvm: insecure temporary file handling in clang's scan-build utility | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Ismail Dönmez <ismail> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P3 - Medium | CC: | smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 13.1 | ||
| URL: | https://smash.suse.de/issue/98099/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Alexander Bergmann
2014-04-23 12:35:28 UTC
bugbot adjusting priority On 16/06/2014 22:51, Sylvestre Ledru wrote: > On 19/04/2014 05:29, cve-assign@mitre.org wrote: >>> Jakub Wilk discovered that clang's scan-build utility insecurely handled >>> temporary files. >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817 >>> The GetHTMLRunDir subroutine ... >>> 3) The function doesn't fail if the directory already exists, even if >>> it's owned by another user. >> Use CVE-2014-2893. >> > I think I fixed it upstream: > http://llvm.org/viewvc/llvm-project?view=revision&revision=211051 > http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?r1=210971&r2=211051&pathrev=211051 > Actual patch fixed: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?r1=210971&r2=211053&pathrev=211053 Sorry about the noise Sylvestre Update submitted. openSUSE-SU-2015:0245-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 874798 CVE References: CVE-2014-2893 Sources used: openSUSE 13.1 (src): llvm-3.3-6.7.1 |