Bugzilla – Bug 874798
VUL-0: CVE-2014-2893: llvm: insecure temporary file handling in clang's scan-build utility
Last modified: 2015-02-18 23:20:38 UTC
Jakub Wilk discovered that clang's scan-build utility insecurely handled temporary files. A local attacker could use this flaw to perform a symbolic link attack against users running the scan-build utility.
Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817
CVE-2014-2893 was assigned to this issue.
bugbot adjusting priority
On 16/06/2014 22:51, Sylvestre Ledru wrote:
> On 19/04/2014 05:29, email@example.com wrote:
>>> Jakub Wilk discovered that clang's scan-build utility insecurely handled
>>> temporary files.
>>> The GetHTMLRunDir subroutine ...
>>> 3) The function doesn't fail if the directory already exists, even if
>>> it's owned by another user.
>> Use CVE-2014-2893.
> I think I fixed it upstream:
Actual patch fixed:
Sorry about the noise
openSUSE-SU-2015:0245-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 874798
CVE References: CVE-2014-2893
openSUSE 13.1 (src): llvm-3.3-6.7.1