Jakub Wilk discovered that clang's scan-build utility insecurely handled temporary files. A local attacker could use this flaw to perform a symbolic link attack against users running the scan-build utility. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744817
This issue affects the llvm package in Fedora and EPEL. python-llvmpy and mingw-llvm are not affected.
Created llvm tracking bugs for this issue: Affects: fedora-all [bug 1088107] Affects: epel-6 [bug 1088108]
CVE request: http://www.openwall.com/lists/oss-security/2014/04/16/2
MITRE assigned CVE-2014-2893 to this issue: http://seclists.org/oss-sec/2014/q2/144
Upstream fix: http://llvm.org/viewvc/llvm-project/cfe/trunk/tools/scan-build/scan-build?r1=210971&r2=211053&pathrev=211053
llvm-3.4.2-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
llvm-3.4.2-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.