[EPEL-devel] Intent to retire flintqs in EPEL7, EPEL8, and EPEL9 for security reasons

[Ben Beasley]

When I took over maintenance of the flintqs package[1]—which contains 
William Hart’s quadratic sieve implementation, as modified for 
sagemath—I built it for EPEL7, EPEL8, and EPEL9. My thoughts were, “Why 
not? Someone might find it useful.”

It was recently pointed out[2][3] that the flintqs command-line tool 
uses temporary files in unsafe ways[4], which could potentially 
represent an exploitable security vulnerability; this has been assigned 
CVE-2023-29465[5].

There is no immediate patch available; while one could surely be 
constructed, the sagemath project plans to incorporate the factorization 
algorithm directly in sagemath and discontinue support of the vulnerable 
command-line tool rather than fixing it[6].

Since sagemath is not packaged in any of the EPEL releases, and flintqs 
is therefore a leaf package, I plan to handle this security report by 
retiring flintqs in all three EPELs. This email is the beginning of that 
process as prescribed in the EPEL Retirement Policy: Process: Security 
Reasons[7]. I doubt there will be any objections, but the process 
requires a one-week discussion period, so I will follow up on the 
epel-announce list and do the retirements no earlier than 2023-03-17.

[1] https://src.fedoraproject.org/rpms/flintqs

[2] https://bugzilla.redhat.com/show_bug.cgi?id=2185301

[3] https://github.com/sagemath/FlintQS/issues/3

[4] https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File

[5] https://nvd.nist.gov/vuln/detail/CVE-2023-29465

[6] https://github.com/sagemath/sage/pull/35419

[7] 
https://docs.fedoraproject.org/en-US/epel/epel-policy-retirement/#process_security_reasons
_______________________________________________
epel-devel mailing list -- epel-devel@lists.fedoraproject.org
To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue