hsec-2026-0006
Vulnerability from osv_haskell
Published
2026-04-08 14:23
Modified
2026-04-08 14:23
Summary
Cabal deletes project source files during configure
Details
Cabal deletes project source files during configure
The checkDuplicateHeaders function in Distribution.Simple.Configure removes
header files from the source directory when a header with the same name exists in
both the build directory and the source directory.
This behavior was introduced in commit 3a9830b to resolve header precedence
issues, as C compilers prefer relative includes over -I search paths. The
workaround uses removeFile on source directory files, which is destructive and
should not happen during a build process.
While the current implementation does not follow symlinks explicitly, the deletion of source files outside of the project during a build operation is possible on Microsoft Windows.
References
| URL | Type | |
|---|---|---|
{
"affected": [
{
"database_specific": {
"human_link": "https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0006.md",
"osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0006.json"
},
"package": {
"ecosystem": "Hackage",
"name": "Cabal"
},
"ranges": [
{
"events": [
{
"introduced": "2.2"
}
],
"type": "ECOSYSTEM"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
],
"database_specific": {
"home": "https://github.com/haskell/security-advisories",
"osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
"repository": "https://github.com/haskell/security-advisories"
},
"details": "# Cabal deletes project source files during configure\n\nThe `checkDuplicateHeaders` function in `Distribution.Simple.Configure` removes\nheader files from the source directory when a header with the same name exists in\nboth the build directory and the source directory.\n\nThis behavior was introduced in commit `3a9830b` to resolve header precedence\nissues, as C compilers prefer relative includes over `-I` search paths. The\nworkaround uses `removeFile` on source directory files, which is destructive and\nshould not happen during a build process.\n\nWhile the current implementation does not follow symlinks explicitly, the\ndeletion of source files outside of the project during a build operation is\npossible on Microsoft Windows.\n",
"id": "HSEC-2026-0006",
"modified": "2026-04-08T14:23:27Z",
"published": "2026-04-08T14:23:27Z",
"references": [
{
"type": "REPORT",
"url": "https://github.com/haskell/cabal/issues/11176"
},
{
"type": "INTRODUCED",
"url": "https://github.com/haskell/cabal/commit/3a9830bbdabef2f1009a69957966b778c7c1a9ee"
}
],
"schema_version": "1.5.0",
"summary": "Cabal deletes project source files during configure"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…