{"id":"HSEC-2026-0006","summary":"Cabal deletes project source files during configure","details":"# Cabal deletes project source files during configure\n\nThe `checkDuplicateHeaders` function in `Distribution.Simple.Configure` removes\nheader files from the source directory when a header with the same name exists in\nboth the build directory and the source directory.\n\nThis behavior was introduced in commit `3a9830b` to resolve header precedence\nissues, as C compilers prefer relative includes over `-I` search paths. The\nworkaround uses `removeFile` on source directory files, which is destructive and\nshould not happen during a build process.\n\nWhile the current implementation does not follow symlinks explicitly, the\ndeletion of source files outside of the project  during a build operation is\npossible on Microsoft Windows.\n","modified":"2026-04-08T14:31:58.862411Z","published":"2026-04-08T14:23:27Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories"},"references":[{"type":"REPORT","url":"https://github.com/haskell/cabal/issues/11176"},{"type":"INTRODUCED","url":"https://github.com/haskell/cabal/commit/3a9830bbdabef2f1009a69957966b778c7c1a9ee"}],"affected":[{"package":{"name":"Cabal","ecosystem":"Hackage","purl":"pkg:hackage/Cabal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2"}]}],"versions":["2.2.0.0","2.2.0.1","2.4.0.0","2.4.0.1","2.4.1.0","3.0.0.0","3.0.1.0","3.0.2.0","3.10.1.0","3.10.2.0","3.10.2.1","3.10.3.0","3.12.0.0","3.12.1.0","3.14.0.0","3.14.1.0","3.14.1.1","3.14.2.0","3.16.0.0","3.16.1.0","3.2.0.0","3.2.1.0","3.4.0.0","3.4.1.0","3.6.0.0","3.6.1.0","3.6.2.0","3.6.3.0","3.8.1.0"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0006.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0006.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0006.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}],"schema_version":"1.7.5"}