CVE-2020-12050 (https://nvd.nist.gov/vuln/detail/CVE-2020-12050): SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.
Need to check if Gentoo is affected.
(In reply to Sam James from comment #1) > Need to check if Gentoo is affected. Can't we just last-rite this package? It has tons of issues, no revdeps, and clearly has been abandoned.
(In reply to David Seifert from comment #2) > (In reply to Sam James from comment #1) > > Need to check if Gentoo is affected. > > Can't we just last-rite this package? It has tons of issues, no revdeps, and > clearly has been abandoned. Fine with me. On queue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e954ca77f07cb952813a22fba7aaa15a170f826 commit 9e954ca77f07cb952813a22fba7aaa15a170f826 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-30 03:29:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-30 03:29:37 +0000 profiles/package.mask: last-rite dev-db/sqliteodbc Bug: https://bugs.gentoo.org/720732 Bug: https://bugs.gentoo.org/729714 Bug: https://bugs.gentoo.org/722644 Bug: https://bugs.gentoo.org/724184 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d92a57c3d9a23517bd8187d04c48717e90818c commit 28d92a57c3d9a23517bd8187d04c48717e90818c Author: Sam James <sam@gentoo.org> AuthorDate: 2020-09-30 15:12:31 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-09-30 15:17:15 +0000 dev-db/sqliteodbc: remove last-rited package Bug: https://bugs.gentoo.org/720732 Bug: https://bugs.gentoo.org/729714 Bug: https://bugs.gentoo.org/722644 Bug: https://bugs.gentoo.org/724184 Signed-off-by: Sam James <sam@gentoo.org> dev-db/sqliteodbc/Manifest | 1 - .../files/sqliteodbc-0.93-respect_LDFLAGS.patch | 30 ---------------- dev-db/sqliteodbc/metadata.xml | 5 --- dev-db/sqliteodbc/sqliteodbc-0.99.ebuild | 41 ---------------------- profiles/package.mask | 8 ----- 5 files changed, 85 deletions(-)
Gentoo was not affected by this vulnerability. As seen in https://bugzilla.redhat.com/show_bug.cgi?id=1825762#c8, vulnerability is in *.spec file used by RPM-based package managers, not in the software itself.