bug#47420: closed (binutils is vulnerable to CVE-2021-20197 (and various

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47420: closed (binutils is vulnerable to CVE-2021-20197 (and various

From:	GNU bug Tracking System
Subject:	bug#47420: closed (binutils is vulnerable to CVE-2021-20197 (and various others))
Date:	Wed, 23 Mar 2022 02:32:02 +0000

Your message dated Tue, 22 Mar 2022 22:31:06 -0400
with message-id <87czid1jth.fsf@gmail.com>
and subject line Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and 
various others)
has caused the debbugs.gnu.org bug report #47420,
regarding binutils is vulnerable to CVE-2021-20197 (and various others)
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47420: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47420
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: binutils is vulnerable to CVE-2021-20197 (and various others) Date: Fri, 26 Mar 2021 21:41:20 +0100 User-agent: Evolution 3.34.2

CVE-2021-20197  18:15
There is an open race window when writing output in the following
utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
ranlib. When these utilities are run as a privileged user (presumably
as part of a script updating binaries across different users), an
unprivileged user can trick these utilities into getting ownership of
arbitrary files through a symlink.

For the two versions packaged in GNU Guix we have:

$ ./pre-inst-env guix lint -c cve binutils@2.33
gnu/packages/base.scm:584:2: binutils@2.33.1: probably vulnerable to
CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-
2020-35507

$ ./pre-inst-env guix lint -c cve binutils@2.34
gnu/packages/base.scm:571:2: binutils@2.34: probably vulnerable to CVE-
2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020-
16599

Because they are also build tools for GNU Guix itself, we can't fix
this in grafts, a review of each and every CVE can be made to evaluate
whether we must fix it for GNU Guix's internal usage can be made, but
also we should update it and not use any vulnerable version anywhere so
we can be certain we didnt miss anything.

Can binutils be upgraded just like that? Or must it be upgraded in
tandem with GCC and friends?

Thank you,
Léo

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message --- Subject: Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others) Date: Tue, 22 Mar 2022 22:31:06 -0400 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

Hi,

Maxime Devos <maximedevos@telenet.be> writes:

> On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix 
> wrote:
>> CVE-2021-20197       18:15
>> There is an open race window when writing output in the following
>> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
>> ranlib. When these utilities are run as a privileged user (presumably
>> as part of a script updating binaries across different users), an
>> unprivileged user can trick these utilities into getting ownership of
>> arbitrary files through a symlink.

Our current version of binutilsis now 2.37, immune to the CVE reported
here.

Thanks for the report!

Closing.

Maxim

--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47420: closed (binutils is vulnerable to CVE-2021-20197 (and various others)), GNU bug Tracking System <=

Prev by Date: Processed: control message for bug #54400
Next by Date: bug#47351: closed (python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270)
Previous by thread: Processed: control message for bug #54400
Next by thread: bug#47351: closed (python-pygments@2.7.3 is vulnerable to at least CVE-2021-20270)
Index(es):
- Date
- Thread