Bug 27740

Summary: sqliteodbc new security issue CVE-2020-12050
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Joseph Wang <joequant>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: ouaurelien
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-12050
Whiteboard:
Source RPM: sqliteodbc-0.9996-1.mga8.src.rpm CVE: CVE-2020-12050
Status comment:

Description Zombie Ryushu 2020-12-04 13:43:42 CET 
SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.
Zombie Ryushu 2020-12-04 13:43:59 CET

CVE: (none) => CVE-2020-12050

Comment 1 David Walser 2020-12-04 13:49:48 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12050

Summary: sqliteodbc security issue CVE-2020-12050 => sqliteodbc new security issue CVE-2020-12050
Source RPM: sqliteodbc-0.9996-1.mga8.src => sqliteodbc-0.9996-1.mga8.src.rpm

Comment 2 Aurelien Oudelet 2020-12-07 10:32:16 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => joequant
CC: (none) => ouaurelien

Comment 3 Joseph Wang 2020-12-07 10:59:56 CET 
Not a problem.  This was a problem in the rpm file, and we have a version of the rpm spec file that already contains the fix.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 4 David Walser 2020-12-07 12:03:48 CET 
Then it's INVALID.  Thanks.

Resolution: FIXED => INVALID