CVE-2023-29465: 
NixOS vulnerability analysis and mitigation

SageMath FlintQS 1.0 contains a security vulnerability (CVE-2023-29465) discovered in April 2023. The vulnerability stems from the software's reliance on pathnames under TMPDIR (typically world-writable), which allows local users to overwrite files with the privileges of different users who are running FlintQS. The vulnerability affects version 1.0 of the FlintQS package (NVD, CVE).

The vulnerability exists due to FlintQS using predictable filenames in temporary directories. The software concatenates the current UID and PID to create filenames, which are supposed to be unique but remain predictable since UIDs and PIDs of processes are usually visible to other users on the machine. When using plain fopen() on these paths, it becomes vulnerable to typical /tmp exploits. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows local users to perform file overwrite attacks with elevated privileges. For example, an attacker could exploit this vulnerability to overwrite sensitive files with the privileges of any user running FlintQS. A proof of concept demonstrated the ability to overwrite /etc/passwd when FlintQS is run as root (GitHub Issue).

The recommended mitigation is to replace FlintQS with FLINT's built-in qsieve_factor() functionality. This change has been implemented in SageMath through pull request #35419, which removes the standalone FlintQS package and replaces it with FLINT's native implementation (GitHub PR).