Bug 720732 (CVE-2020-12050)

Summary:	dev-db/sqliteodbc: Possible privilege escalation via insecure temporary file (CVE-2020-12050)
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	minor	CC:	maintainer-needed
Priority:	Normal	Keywords:	PMASKED
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa masked cve]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2020-05-02 21:50:16 UTC

CVE-2020-12050 (https://nvd.nist.gov/vuln/detail/CVE-2020-12050):
  SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4,
  has a race condition leading to root privilege escalation because any user
  can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of
  an arbitrary library.

Comment 1 Sam James archtester

2020-05-02 21:52:26 UTC

Need to check if Gentoo is affected.

Comment 2 David Seifert gentoo-dev

2020-08-29 16:45:46 UTC

(In reply to Sam James from comment #1)
> Need to check if Gentoo is affected.

Can't we just last-rite this package? It has tons of issues, no revdeps, and clearly has been abandoned.

Comment 3 Sam James archtester

2020-08-29 20:11:55 UTC

(In reply to David Seifert from comment #2)
> (In reply to Sam James from comment #1)
> > Need to check if Gentoo is affected.
> 
> Can't we just last-rite this package? It has tons of issues, no revdeps, and
> clearly has been abandoned.

Fine with me. On queue.

Comment 4 Larry the Git Cow gentoo-dev

2020-08-30 03:30:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e954ca77f07cb952813a22fba7aaa15a170f826

commit 9e954ca77f07cb952813a22fba7aaa15a170f826
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:29:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:29:37 +0000

    profiles/package.mask: last-rite dev-db/sqliteodbc
    
    Bug: https://bugs.gentoo.org/720732
    Bug: https://bugs.gentoo.org/729714
    Bug: https://bugs.gentoo.org/722644
    Bug: https://bugs.gentoo.org/724184
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)

Comment 5 Larry the Git Cow gentoo-dev

2020-09-30 15:17:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d92a57c3d9a23517bd8187d04c48717e90818c

commit 28d92a57c3d9a23517bd8187d04c48717e90818c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-30 15:12:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-30 15:17:15 +0000

    dev-db/sqliteodbc: remove last-rited package
    
    Bug: https://bugs.gentoo.org/720732
    Bug: https://bugs.gentoo.org/729714
    Bug: https://bugs.gentoo.org/722644
    Bug: https://bugs.gentoo.org/724184
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/sqliteodbc/Manifest                         |  1 -
 .../files/sqliteodbc-0.93-respect_LDFLAGS.patch    | 30 ----------------
 dev-db/sqliteodbc/metadata.xml                     |  5 ---
 dev-db/sqliteodbc/sqliteodbc-0.99.ebuild           | 41 ----------------------
 profiles/package.mask                              |  8 -----
 5 files changed, 85 deletions(-)

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2020-10-18 01:44:41 UTC

Gentoo was not affected by this vulnerability. As seen in https://bugzilla.redhat.com/show_bug.cgi?id=1825762#c8, vulnerability is in *.spec file used by RPM-based package managers, not in the software itself.