r211051 - Check that the directory does not exist.
Sylvestre Ledru
sylvestre at debian.org
Mon Jun 16 13:31:16 PDT 2014
Author: sylvestre
Date: Mon Jun 16 15:31:15 2014
New Revision: 211051
URL: http://llvm.org/viewvc/llvm-project?rev=211051&view=rev
Log:
Check that the directory does not exist.
Otherwise, it could allows local users to obtain sensitive information or
overwrite arbitrary files via a symlink attack on temporary directories with
predictable names.
Reported as CVE-2014-2893 ( https://security-tracker.debian.org/tracker/CVE-2014-2893 )
Found by Jakub Wilk
Modified:
cfe/trunk/tools/scan-build/scan-build
Modified: cfe/trunk/tools/scan-build/scan-build
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?rev=211051&r1=211050&r2=211051&view=diff
==============================================================================
--- cfe/trunk/tools/scan-build/scan-build (original)
+++ cfe/trunk/tools/scan-build/scan-build Mon Jun 16 15:31:15 2014
@@ -206,6 +206,12 @@ sub GetHTMLRunDir {
else {
$NewDir = "$Dir/$DateString-$RunNumber";
}
+
+ # Make sure that the directory does not exist in order to avoid hijack.
+ if (-d $NewDir) {
+ DieDiag("The directory '$NewDir' already exists.\n");
+ }
+
mkpath($NewDir);
return $NewDir;
}
More information about the cfe-commits
mailing list