[EPEL-devel] Retiring flintqs in EPEL7/8/9

Mon, 17 Apr 2023 09:50:56 -0700

As previously proposed on the epel-devel mailing list, and in accordance with the EPEL Retirement Policy: Process: Security Reasons[1], I will be retiring the flintqs package in EPEL7, EPEL8, and EPEL9 today.
When I took over maintenance of the flintqs package[2]—which contains William Hart’s quadratic sieve implementation, as modified for sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why not? Someone might find it useful.” 


It was recently pointed out[3][4] that the flintqs command-line tool 
uses temporary files in unsafe ways[5], which could potentially 
represent an exploitable security vulnerability; this has been assigned 
CVE-2023-29465[6].



There is no immediate patch available; while one could surely be 
constructed, the sagemath project plans to incorporate the factorization 
algorithm directly in sagemath and discontinue support of the vulnerable 
command-line tool rather than fixing it[7].



Since sagemath is not packaged in any of the EPEL releases, and flintqs 
is therefore a leaf package, I am handling this security report by 
retiring flintqs in all three EPELs.



Anyone who does need FlintQS on EL will need to consider their security 
threat model, then build it from source—either by cloning the upstream 
GitHub repository, or, for the time being, by rebuilding the Fedora 
source RPM. Note, however, that the Fedora package will also be retired 
as soon as it is no longer needed by sagemath.



[1] 
https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons


[2] https://src.fedoraproject.org/rpms/flintqs

[3] https://bugzilla.redhat.com/show_bug.cgi?id=2185301

[4] https://github.com/sagemath/FlintQS/issues/3

[5] https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

[6] https://nvd.nist.gov/vuln/detail/CVE-2023-29465

[7] https://github.com/sagemath/sage/pull/35419
_______________________________________________
epel-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue














    











					Reply via email to