Bug 1171041 - (CVE-2020-12050) VUL-1: CVE-2020-12050: Packaging vulnerability in sqliteODBC exposing to local privilege escalation to root
(CVE-2020-12050)
VUL-1: CVE-2020-12050: Packaging vulnerability in sqliteODBC exposing to loca...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Martin Pluskal
E-mail List
https://smash.suse.de/issue/258896/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-04 08:36 UTC by Alexandros Toptsoglou
Modified: 2020-07-14 12:50 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-05-04 08:36:31 UTC
CVE-2020-12050

SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.9996-4, has a race condition leading to root privilege escalation because any user can replace a /tmp/sqliteodbc$$ file with new contents that cause loading of an arbitrary library.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1825762
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12050
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-12050.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12050
http://www.ch-werner.de/sqliteodbc/
https://sysdream.com/news/lab/
Comment 1 Swamp Workflow Management 2020-05-04 12:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1171041) was mentioned in
https://build.opensuse.org/request/show/800028 Factory / sqliteodbc
https://build.opensuse.org/request/show/800029 Backports:SLE-15-SP1 / sqliteodbc
https://build.opensuse.org/request/show/800030 15.1 / sqliteodbc
Comment 2 Swamp Workflow Management 2020-05-05 16:35:11 UTC
openSUSE-SU-2020:0612-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1171041
CVE References: CVE-2020-12050
Sources used:
openSUSE Backports SLE-15-SP1 (src):    sqliteodbc-0.9996-bp151.4.3.1
Comment 3 Swamp Workflow Management 2020-05-11 09:26:06 UTC
openSUSE-SU-2020:0628-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1171041
CVE References: CVE-2020-12050
Sources used:
openSUSE Leap 15.1 (src):    sqliteodbc-0.9996-lp151.3.3.1
Comment 4 Martin Pluskal 2020-07-14 12:50:57 UTC
Fixed