CVE-2022-40299 (https://github.com/Singular/Singular/issues/1137): In Singular before 4.3.1, a predictable /tmp pathname is used (e.g., by sdb.cc), which allows local users to gain the privileges of other users via a procedure in a file under /tmp. NOTE: this CVE Record is about sdb.cc and similar files in the Singular interface that have predictable /tmp pathnames; this CVE Record is not about the lack of a safe temporary-file creation capability in the Singular language. https://github.com/Singular/Singular/commit/5f28fbf066626fa9c4a8f0e6408c0bb362fb386c Maintainers: please remember to file security bugs for your packages. Please stabilize a fixed version.
Please cleanup
We're a little bit hosed on this because new versions of singular have a conditional dependency on sci-mathematics/polymake which in turn has a conditional dependency on sci-libs/lrslib, and lrslib is busted on x86: bug #771675. As a result, we can't clean up the old stable singular-4.2.0_p1, which is stable on x86.
(In reply to Michael Orlitzky from comment #2) > We're a little bit hosed on this because new versions of singular have a > conditional dependency on sci-mathematics/polymake which in turn has a > conditional dependency on sci-libs/lrslib, and lrslib is busted on x86: bug > #771675. > > As a result, we can't clean up the old stable singular-4.2.0_p1, which is > stable on x86. Seems like we can through it if we drop x86 on lrslib, polymake, and singular?
(In reply to John Helmert III from comment #3) > > > > As a result, we can't clean up the old stable singular-4.2.0_p1, which is > > stable on x86. > > Seems like we can through it if we drop x86 on lrslib, polymake, and > singular? No objection from me. I don't have the hardware any more, and don't know any real users of these packages who do either. My main interest in them is as dependencies of SageMath, but sci-mathematics/sage (in the sage-on-gentoo) overlay no longer has x86 keywords, so the number of affected people may be zero.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3115fc9dce17fb6575ce99575215501b27e2d907 commit 3115fc9dce17fb6575ce99575215501b27e2d907 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2022-12-23 15:05:43 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2022-12-23 15:20:48 +0000 profiles/arch/x86: mask sci-mathematics/polymake[lrs]. This will let us stabilize newer versions of polymake and a consumer, sci-mathematics/singular, on x86 where lrslib is flaky. Bug: https://bugs.gentoo.org/771675 Bug: https://bugs.gentoo.org/832376 Bug: https://bugs.gentoo.org/869362 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> profiles/arch/x86/package.use.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
That USE mask should be enough to allow stabilization to proceed, and less disruptive. Once the new versions of bliss, polymake, and singular are stabilized on x86 I'll clean up.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fbdf6de119de19623465e6388140587811c6e26 commit 2fbdf6de119de19623465e6388140587811c6e26 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2022-12-23 23:23:34 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2022-12-23 23:26:32 +0000 sci-mathematics/singular: drop 4.2.0_p1 Bug: https://bugs.gentoo.org/869362 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> sci-mathematics/singular/Manifest | 1 - .../files/singular-4.0.3-gfan_linking.patch | 13 --- .../files/singular-4.1.3-doc_install.patch | 62 ------------ .../singular/files/singular-4.2.0-no-static.patch | 69 -------------- .../singular/files/singular-4.2.1-htmldoc.patch | 43 --------- sci-mathematics/singular/singular-4.2.0_p1.ebuild | 104 --------------------- 6 files changed, 292 deletions(-)
Thanks! No need for GLSA here as impact is low, if anything. All done.
