Bug 27740 - sqliteodbc new security issue CVE-2020-12050
Summary: sqliteodbc new security issue CVE-2020-12050
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Joseph Wang
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-04 13:43 CET by Zombie Ryushu
Modified: 2020-12-07 12:03 CET (History)
1 user (show)

See Also:
Source RPM: sqliteodbc-0.9996-1.mga8.src.rpm
CVE: CVE-2020-12050
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-04 13:43:42 CET 
SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.
Zombie Ryushu 2020-12-04 13:43:59 CET

CVE: (none) => CVE-2020-12050

Comment 1 David Walser 2020-12-04 13:49:48 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12050

Summary: sqliteodbc security issue CVE-2020-12050 => sqliteodbc new security issue CVE-2020-12050
Source RPM: sqliteodbc-0.9996-1.mga8.src => sqliteodbc-0.9996-1.mga8.src.rpm

Comment 2 Aurelien Oudelet 2020-12-07 10:32:16 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => joequant
CC: (none) => ouaurelien

Comment 3 Joseph Wang 2020-12-07 10:59:56 CET 
Not a problem.  This was a problem in the rpm file, and we have a version of the rpm spec file that already contains the fix.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 4 David Walser 2020-12-07 12:03:48 CET 
Then it's INVALID.  Thanks.

Resolution: FIXED => INVALID
Note You need to log in before you can comment on or make changes to this bug.