Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 720732 (CVE-2020-12050) - dev-db/sqliteodbc: Possible privilege escalation via insecure temporary file (CVE-2020-12050)
Summary: dev-db/sqliteodbc: Possible privilege escalation via insecure temporary file ...
Status: RESOLVED INVALID
Alias: CVE-2020-12050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa masked cve]
Keywords: PMASKED
Depends on:
Blocks:
 
Reported: 2020-05-02 21:50 UTC by GLSAMaker/CVETool Bot
Modified: 2020-10-18 01:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-02 21:50:16 UTC
CVE-2020-12050 (https://nvd.nist.gov/vuln/detail/CVE-2020-12050):
  SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4,
  has a race condition leading to root privilege escalation because any user
  can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of
  an arbitrary library.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-02 21:52:26 UTC
Need to check if Gentoo is affected.
Comment 2 David Seifert gentoo-dev 2020-08-29 16:45:46 UTC
(In reply to Sam James from comment #1)
> Need to check if Gentoo is affected.

Can't we just last-rite this package? It has tons of issues, no revdeps, and clearly has been abandoned.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 20:11:55 UTC
(In reply to David Seifert from comment #2)
> (In reply to Sam James from comment #1)
> > Need to check if Gentoo is affected.
> 
> Can't we just last-rite this package? It has tons of issues, no revdeps, and
> clearly has been abandoned.

Fine with me. On queue.
Comment 4 Larry the Git Cow gentoo-dev 2020-08-30 03:30:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e954ca77f07cb952813a22fba7aaa15a170f826

commit 9e954ca77f07cb952813a22fba7aaa15a170f826
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-08-30 03:29:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-08-30 03:29:37 +0000

    profiles/package.mask: last-rite dev-db/sqliteodbc
    
    Bug: https://bugs.gentoo.org/720732
    Bug: https://bugs.gentoo.org/729714
    Bug: https://bugs.gentoo.org/722644
    Bug: https://bugs.gentoo.org/724184
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 5 Larry the Git Cow gentoo-dev 2020-09-30 15:17:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28d92a57c3d9a23517bd8187d04c48717e90818c

commit 28d92a57c3d9a23517bd8187d04c48717e90818c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-30 15:12:31 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-30 15:17:15 +0000

    dev-db/sqliteodbc: remove last-rited package
    
    Bug: https://bugs.gentoo.org/720732
    Bug: https://bugs.gentoo.org/729714
    Bug: https://bugs.gentoo.org/722644
    Bug: https://bugs.gentoo.org/724184
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-db/sqliteodbc/Manifest                         |  1 -
 .../files/sqliteodbc-0.93-respect_LDFLAGS.patch    | 30 ----------------
 dev-db/sqliteodbc/metadata.xml                     |  5 ---
 dev-db/sqliteodbc/sqliteodbc-0.99.ebuild           | 41 ----------------------
 profiles/package.mask                              |  8 -----
 5 files changed, 85 deletions(-)
Comment 6 Thomas Deutschmann gentoo-dev 2020-10-18 01:44:41 UTC
Gentoo was not affected by this vulnerability. As seen in https://bugzilla.redhat.com/show_bug.cgi?id=1825762#c8, vulnerability is in *.spec file used by RPM-based package managers, not in the software itself.