Bug#744817: marked as done (clang-3.5: CVE-2014-2893: scan-build: insecure use of /tmp)

Tue, 17 Jun 2014 00:04:25 -0700 

Your message dated Tue, 17 Jun 2014 06:50:17 +0000
with message-id <[email protected]>
and subject line Bug#744817: fixed in llvm-toolchain-3.4 1:3.4.2-2
has caused the Debian Bug report #744817,
regarding clang-3.5: CVE-2014-2893: scan-build: insecure use of /tmp
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
744817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: clang-3.5
Version: 1:3.5~svn201651-1
Severity: important
Tags: security
The GetHTMLRunDir subroutine creates temporary directories in an insecure way: 

1) The directory name is easily predictable:

 if (!defined $Dir) {
   $Dir = $ENV{'TMPDIR'} || $ENV{'TEMP'} || $ENV{'TMP'} || "/tmp";
   $TmpMode = 1;
 }
 # [...]
 my $TimeString = sprintf("%02d%02d%02d", $hour, $min, $sec);
 my $DateString = sprintf("%d-%02d-%02d-%s-$$",
                          $year, $month, $day, $TimeString);
 # [...]
 if ($TmpMode) {
   $NewDir = "$Dir/$Prog-$DateString-$RunNumber";
 }

2) The directory is created with default permissions (instead of 0700).
3) The function doesn't fail if the directory already exists, even if it's owned by another user. Now, the upstream intention was to always choose a directory that doesn't exist, but the logic is broken: 

   foreach my $f (@FILES) {
     # Strip the prefix '$Prog-' if we are dumping files to /tmp.
     if ($TmpMode) {
       next if (!($f =~ /^$Prog-(.+)/));
       $f = $1;
     }
     my @x = split/-/, $f;
     next if (scalar(@x) != 4);
     next if ($x[0] != $year);
     next if ($x[1] != $month);
     next if ($x[2] != $day);
     next if ($x[3] != $TimeString);
     next if ($x[4] != $$);
     if ($x[5] > $max) {
       $max = $x[5];
     }
   }
   $RunNumber = $max + 1;
But, for files that could be created by GetHTMLRunDir, scalar(@x) is 6, not 4, so the loop is mostly no-op. (Even if the loop was implemented correctly, there would still be race window between when the directory name is chosen and when it is created.)
This bug can be exploited by malicious local user for denial of service, information disclosure, or to overwrite arbitrary files via symlink attack. 

--
Jakub Wilk

--- End Message ---
--- Begin Message --- 
Source: llvm-toolchain-3.4
Source-Version: 1:3.4.2-2

We believe that the bug you reported is fixed in the latest version of
llvm-toolchain-3.4, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru <[email protected]> (supplier of updated llvm-toolchain-3.4 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 16 Jun 2014 23:00:47 +0200
Source: llvm-toolchain-3.4
Binary: clang-3.4 clang-format-3.4 cpp11-migrate-3.4 clang-modernize-3.4 
clang-3.4-doc libclang1-3.4 libclang1-3.4-dbg libclang-3.4-dev 
libclang-common-3.4-dev python-clang-3.4 clang-3.4-examples libllvm3.4 
libllvm3.4-dbg llvm-3.4 llvm-3.4-runtime llvm-3.4-dev llvm-3.4-tools 
libllvm-3.4-ocaml-dev llvm-3.4-doc llvm-3.4-examples lldb-3.4 lldb-3.4-dev
Architecture: source amd64 all
Version: 1:3.4.2-2
Distribution: unstable
Urgency: medium
Maintainer: LLVM Packaging Team <[email protected]>
Changed-By: Sylvestre Ledru <[email protected]>
Description:
 clang-3.4  - C, C++ and Objective-C compiler (LLVM based)
 clang-3.4-doc - C, C++ and Objective-C compiler (LLVM based) - Documentation
 clang-3.4-examples - Clang examples
 clang-format-3.4 - Tool to format C/C++/Obj-C code
 clang-modernize-3.4 - Tool to convert C++98 and C++03 code to C++11
 cpp11-migrate-3.4 - Tool to convert C++98 and C++03 code to C++11
 libclang-3.4-dev - clang library - Development package
 libclang-common-3.4-dev - clang library - Common development package
 libclang1-3.4 - C interface to the clang library
 libclang1-3.4-dbg - clang library
 libllvm-3.4-ocaml-dev - Modular compiler and toolchain technologies, OCaml 
bindings
 libllvm3.4 - Modular compiler and toolchain technologies, runtime library
 libllvm3.4-dbg - Modular compiler and toolchain technologies, debugging 
libraries
 lldb-3.4   - Next generation, high-performance debugger
 lldb-3.4-dev - Next generation, high-performance debugger - Header files
 llvm-3.4   - Modular compiler and toolchain technologies
 llvm-3.4-dev - Modular compiler and toolchain technologies, libraries and 
header
 llvm-3.4-doc - Modular compiler and toolchain technologies, documentation
 llvm-3.4-examples - Modular compiler and toolchain technologies, examples
 llvm-3.4-runtime - Modular compiler and toolchain technologies, IR interpreter
 llvm-3.4-tools - Modular compiler and toolchain technologies, tools
 python-clang-3.4 - Clang Python Bindings
Closes: 744817
Changes:
 llvm-toolchain-3.4 (1:3.4.2-2) unstable; urgency=medium
 .
   * Improve the CVE-2014-2893 fix (Closes: #744817)
   * Add a check to avoid an error on arch where compiler-rt is not available
Checksums-Sha1:
 9b1b8e5dad31512afb5e5cd99a37cf3c79724634 5498 llvm-toolchain-3.4_3.4.2-2.dsc
 550194eee9f648a82fa4618c7c1bd10ab54ddcde 45400 
llvm-toolchain-3.4_3.4.2-2.debian.tar.xz
 d129b4235e5f8f7219247826ded189d31e9456e2 19176500 clang-3.4_3.4.2-2_amd64.deb
 55f16ab9717b4934be594921165e4fa99441bfd8 3193464 
clang-format-3.4_3.4.2-2_amd64.deb
 737559bf67d2a30bee08a6904a774250e1ea1dc9 12160 
cpp11-migrate-3.4_3.4.2-2_amd64.deb
 0ce71e3bb171c018286d31b71915bfee0727e61e 3384770 
clang-modernize-3.4_3.4.2-2_amd64.deb
 24eab2f793c2a1ca7513b9092239efcfe437117c 471818 clang-3.4-doc_3.4.2-2_all.deb
 17da45f544a502144dfda2a50270ccb6d6afe903 3619306 
libclang1-3.4_3.4.2-2_amd64.deb
 5586e944f34a7773e43741203a975f75af3df0c0 91097294 
libclang1-3.4-dbg_3.4.2-2_amd64.deb
 d395c9f3dee523600beb7bdce6453ff84b20c01f 8328072 
libclang-3.4-dev_3.4.2-2_amd64.deb
 6c80d85f0947cc736982f5c50a1e1353a744bfaf 543498 
libclang-common-3.4-dev_3.4.2-2_amd64.deb
 5d68072771f0819d6465d04a04de051d5ebf3858 33416 
python-clang-3.4_3.4.2-2_amd64.deb
 b747fac045b2f46a7a5a1ce5e711eae3c28db06d 17950 
clang-3.4-examples_3.4.2-2_amd64.deb
 ce9025afb6052112ad6b2535dc91283c70faaffb 6721480 libllvm3.4_3.4.2-2_amd64.deb
 1adde520ac9075e16c1bb19396b2e1d63f754960 110682538 
libllvm3.4-dbg_3.4.2-2_amd64.deb
 24114c6d8af18c7577d61c0c0cb880c2409d4112 1101928 llvm-3.4_3.4.2-2_amd64.deb
 f6f4c08d5e6bd6315f08a268c304abd7d748a8fc 46382 
llvm-3.4-runtime_3.4.2-2_amd64.deb
 da983b80edc4cdff6e0b59524bf1a04979e1e52d 10173772 
llvm-3.4-dev_3.4.2-2_amd64.deb
 91333d0d3e1082e5f0e3d9e6591a9e4a9c799e4d 210508 
llvm-3.4-tools_3.4.2-2_amd64.deb
 30c00547aec0687194545b1f5a4470f4997b8f25 284390 
libllvm-3.4-ocaml-dev_3.4.2-2_amd64.deb
 00fa6ad228011f52d4bf7c18533c3eb2a66fcafd 1294696 llvm-3.4-doc_3.4.2-2_all.deb
 9b59ecf0c5dfa8db7156f3713a0d04e6d311639e 176566 
llvm-3.4-examples_3.4.2-2_all.deb
 ceec100095671637228e88e687803329d2b1c3a9 6316154 lldb-3.4_3.4.2-2_amd64.deb
 4b7b69f170b1b233e455a4f5d2655d5657c8142c 3192684 lldb-3.4-dev_3.4.2-2_amd64.deb
Checksums-Sha256:
 45526d45566bdf6a1a361dc94c490a542e4cc18a40e31c99157760aaeb86cb23 5498 
llvm-toolchain-3.4_3.4.2-2.dsc
 ce2308146173aa5a90e32e2bdbc23e27d5b8dcb71a7fb4f4da86b25a7935904d 45400 
llvm-toolchain-3.4_3.4.2-2.debian.tar.xz
 684fb30a0beba003a6bdd09871c6570f711e057d4796c39ad9318f12fa78bdad 19176500 
clang-3.4_3.4.2-2_amd64.deb
 1805aaae1f79445e9a313ee141454b5eb84f4098d3cf396e229a07609f4e4dda 3193464 
clang-format-3.4_3.4.2-2_amd64.deb
 a478c95c24bfe43c40e867fbde353605639cd4baecbd31e0b16c3bc13e5f18a5 12160 
cpp11-migrate-3.4_3.4.2-2_amd64.deb
 a57f76272ace32e5a25ba749b3dfc206115dae7d689f88034a146b443fea3065 3384770 
clang-modernize-3.4_3.4.2-2_amd64.deb
 9ff0d4c324f5b87f848c3ac03015369b8d843e6e6abe2c9d0793af496ed9b2f7 471818 
clang-3.4-doc_3.4.2-2_all.deb
 cff9cc4e168ec01790dfa4968eac21eea28080bee21773cabccdb43f0e011aff 3619306 
libclang1-3.4_3.4.2-2_amd64.deb
 29ca0f0357c4825722129eea5776ce3fed49abfef963be1df7ca5f0bde6be127 91097294 
libclang1-3.4-dbg_3.4.2-2_amd64.deb
 095dc78be65e179f71520a3de9e53e652c1792de34531d12d906a7f017075aaa 8328072 
libclang-3.4-dev_3.4.2-2_amd64.deb
 35318129e13d03935093a5f9d6ac8239badc5c3c8e10503cbedc6fdd106db556 543498 
libclang-common-3.4-dev_3.4.2-2_amd64.deb
 123d56ce714731495544ff800b2a120edd50b00feb70ac7c46f73345fba2ee69 33416 
python-clang-3.4_3.4.2-2_amd64.deb
 275233934babb3e1b63ffc39b00bd6d3acbf7e682f62ea20cf71e72ff60c5a8b 17950 
clang-3.4-examples_3.4.2-2_amd64.deb
 a15ec5bc10a0a9ce1d03f3597b948d242c6a7d3493f94abbf4803c9f7d7e03ba 6721480 
libllvm3.4_3.4.2-2_amd64.deb
 9e7172c7c820443cb470d32789cb7f85a4aa2d08b43d606d9d7d4b1357a22b98 110682538 
libllvm3.4-dbg_3.4.2-2_amd64.deb
 975db200e4a48062f18dae395d92dae82484c07fe5b3b4131e2f6d77cdf0c673 1101928 
llvm-3.4_3.4.2-2_amd64.deb
 40b8048573bf07cb73662478023def2cae795b8e387761764e6bf791bd060590 46382 
llvm-3.4-runtime_3.4.2-2_amd64.deb
 6889f455b75360e42a264e43085682764c378d97449a574d0773213a0fab1543 10173772 
llvm-3.4-dev_3.4.2-2_amd64.deb
 c435a62b4a61ed03180cd0fce50dc4f73009ffd61fb8ae81a4c8146381f09d6e 210508 
llvm-3.4-tools_3.4.2-2_amd64.deb
 d6d3bf6f6b28607fadf2099637bd467a9fc91f826768a23d59e17f5eea160edf 284390 
libllvm-3.4-ocaml-dev_3.4.2-2_amd64.deb
 b38d566679fb49a4170a6457248ec00f3d754f0e87d4b786524b263abbd18b47 1294696 
llvm-3.4-doc_3.4.2-2_all.deb
 7f99aab25359bbaa257db0ff99501002266c1d7d9f8f54bf560fa6c118543e4e 176566 
llvm-3.4-examples_3.4.2-2_all.deb
 dccbee56ae3b40960386a43dfad896a0da513c6e11070404e9c946f67c99901b 6316154 
lldb-3.4_3.4.2-2_amd64.deb
 e3e1911fd782a3ce99f0dcdddfc61f59048469fb2dec7cbaeaf1acc5cee9de7a 3192684 
lldb-3.4-dev_3.4.2-2_amd64.deb
Files:
 eeed3ad92d2a38aeacee17ece75330b9 19176500 devel optional 
clang-3.4_3.4.2-2_amd64.deb
 8a1c88477c2817b2d2c00c9f892f8d38 3193464 devel optional 
clang-format-3.4_3.4.2-2_amd64.deb
 94de40e65d50411ada03c86087a7cce6 12160 devel optional 
cpp11-migrate-3.4_3.4.2-2_amd64.deb
 755051abb5073c7b3e69ae67dbac596d 3384770 devel optional 
clang-modernize-3.4_3.4.2-2_amd64.deb
 c8778c71310cec9f1506dabcb9403353 471818 doc optional 
clang-3.4-doc_3.4.2-2_all.deb
 4d2e7a8907074aa6e17e9113288c20ee 3619306 devel optional 
libclang1-3.4_3.4.2-2_amd64.deb
 4518bdee6860be3eb6faf6cb8f231363 91097294 debug extra 
libclang1-3.4-dbg_3.4.2-2_amd64.deb
 09f9b8441b04a09e10c120fa98d72f9d 8328072 libdevel optional 
libclang-3.4-dev_3.4.2-2_amd64.deb
 be8af1d44491d503b6679dcc47f368ab 543498 libdevel optional 
libclang-common-3.4-dev_3.4.2-2_amd64.deb
 3a7b0ed631fcad98a9cdb197f2910a63 33416 python optional 
python-clang-3.4_3.4.2-2_amd64.deb
 9c74ffde73d3fb5c94ec1a62889d8501 17950 doc optional 
clang-3.4-examples_3.4.2-2_amd64.deb
 2dd45e1f08a2acb391e4965cd7e59d8d 6721480 libs optional 
libllvm3.4_3.4.2-2_amd64.deb
 554751db1e452a2677ca7a32c0c9ea21 110682538 debug extra 
libllvm3.4-dbg_3.4.2-2_amd64.deb
 e2984d5bc206e4bd12ed5bc49b796d05 1101928 devel optional 
llvm-3.4_3.4.2-2_amd64.deb
 1b12c272d3f3604a988cb5a122a273c1 46382 devel optional 
llvm-3.4-runtime_3.4.2-2_amd64.deb
 6aae0fd5a2cc135f5c3623e83ae01a63 10173772 devel optional 
llvm-3.4-dev_3.4.2-2_amd64.deb
 380617082dfd59d27c6e317666813b04 210508 devel optional 
llvm-3.4-tools_3.4.2-2_amd64.deb
 e21a6924bff199b19b3c4a8a29ab6cfc 284390 ocaml optional 
libllvm-3.4-ocaml-dev_3.4.2-2_amd64.deb
 eeee6828e9f66a4e926626c89d46a1aa 1294696 doc optional 
llvm-3.4-doc_3.4.2-2_all.deb
 1f540dbf123093beba5cc236f69a4318 176566 doc optional 
llvm-3.4-examples_3.4.2-2_all.deb
 bc1972de1d72f96c72cf6bd68658e95c 6316154 devel optional 
lldb-3.4_3.4.2-2_amd64.deb
 25413e2b1aad54a51c2989ff8968a996 3192684 devel optional 
lldb-3.4-dev_3.4.2-2_amd64.deb
 c057eb6d2ebf345838e9ea73bf7abab8 5498 devel optional 
llvm-toolchain-3.4_3.4.2-2.dsc
 8f3d530c6d4cef0f4d35afc082a7af08 45400 devel optional 
llvm-toolchain-3.4_3.4.2-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTn+OTAAoJEH5lKNp1LxvhB80P/AqemmUCtP0qrZO3VkK7BhAf
pPNytAaCaIiwgMhJVJ2GTXF7xof8IFxvwoWZkr6blNV4XzQAFqoNN6sgHnxdmrIY
Q8Ozgylz/sJYxNwyCsjYXYdbrbWBp/e3AQ1E4MCrnhzq+tq8CtwccQyPHiwZ6e6x
F7tkFSusiBrnLr+pUsnYjo6HAww8ExBcfKEpeQIUbIBuaONv34sVt7ed7AhhCvnW
5+iBPaoAwCQV3FOgSS9wUT28lBvZGNMG9TsNnkhalu/bZlKxlnL9aFxtjxwtUUjO
ga9wNbYrx5FawnfcxDd+4xV4D83otRWlZk7WXma7fTgtGt+dt6WfPj7KMoeh+s7L
tp1B0K3A3ppOTEoY+ZGthRVSvb7TpWGOYNeqBQO7TMT+Xu3k4xz6X/qSIpv5BBiD
BwMBrmokXRUerNq0ML0Siw3Eek0lnQizLJW00JHw6U5T54OXknHB47McWFDG/xl+
K7p7qlkw0ze90GbZnI8psgckRn8fpioSAXOSXG9W6SXelBvp4YDytSUN0qCHTt6y
hftD52/TAWSxgCM7qp37EZ6QNyRRr3s1YZdsqm6/e0Qd+U+l5t5dnRm86hTnUCdT
u/03k+ZM31prsqso0M1xlqVmD2Ex1OcE0clm+W+bdrr/NWKFAQhr+7SPBmWFxR68
Od4vYOZdlDvlaseYk6sG
=kYRd
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to