GNU bug report logs

#47420 binutils is vulnerable to CVE-2021-20197 (and various others)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #13 received at 47420@debbugs.gnu.org (full text, mbox, reply):

Received: (at 47420) by debbugs.gnu.org; 26 Mar 2021 23:00:55 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 19:00:55 2021
Received: from localhost ([127.0.0.1]:42831 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lPvRm-0002Kl-NW
	for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:00:55 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:55664)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@telenet.be>) id 1lPvRk-0002HZ-FY
 for 47420@debbugs.gnu.org; Fri, 26 Mar 2021 19:00:53 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by baptiste.telenet-ops.be with bizsmtp
 id lB0q2400E0mfAB401B0qpM; Sat, 27 Mar 2021 00:00:50 +0100
Message-ID: <d12edf9cd3c7a6779c25ccd40411c16292406e8d.camel@telenet.be>
Subject: Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and
 various others)
From: Maxime Devos <maximedevos@telenet.be>
To: Léo Le Bouter <lle-bout@zaclys.net>, 
 47420@debbugs.gnu.org
Date: Sat, 27 Mar 2021 00:00:40 +0100
In-Reply-To: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net>
References: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha256";
 protocol="application/pgp-signature"; boundary="=-azZwH7wqmdIpOucP6VQJ"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1616799650; bh=IS0il8aCHn1RBWV0iqIf6pOIjIqC3p9FY6B8q6PMWkA=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=XQG7NQUkgGPL6MLiyjtOLVNHBviHZJOOyMu6hcTQ6IHXjzuyi/PF+n9ovBxPJ3Exc
 94g4uhJHJpsYQwfYvSP0HxI2PlHZy9nsYY5uph1gw4KdwUJKv/z3dbGCZit5MdyZNW
 tOzIY11S22VhuI6E3PnPh3wjSAQazMuHh2l4JFJ4sE14Lw5XPrv4tDUlKmQgmsgBYe
 lI5n/zIe40JSAQknyzjeaUADC6SPyhJIGUZpT42qkJammwDT1k8ysGe5Y/FGYIykRE
 F7TMlVx6n1ANU1thgc2OyId5xBR68cqeqh6jLlB1G/6hOamGD7svD9PnhQliAWVJ5K
 3p/F8VKu7ArqQ==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 47420
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

[Message part 1 (text/plain, inline)]
On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-20197	18:15
> There is an open race window when writing output in the following
> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
> ranlib. When these utilities are run as a privileged user (presumably
> as part of a script updating binaries across different users), an
> unprivileged user can trick these utilities into getting ownership of
> arbitrary files through a symlink.

At first I thought -- why would anyone run the binutils as root (or other
privileged user)?  Isn't it only used for *compiling* stuff?  But then
I looked at the actual bug report:

  https://sourceware.org/bugzilla/show_bug.cgi?id=26945

Apparently creating temporary files isn't done quite correctly.
IIUC, on a shared guix system, a malicious user could use this bug
to change the binary that would normally result from the innocent
user running "./configure && make" into something controlled
by the malicious user.

Question: if I run "guix environment guix", do I get the packages
normally used for building guix as-is, or the grafted versions?
When I run "guix environment emacs", I see two lines "applying $N grafts",
so I assume the latter.

> For the two versions packaged in GNU Guix we have:
> 
> $ ./pre-inst-env guix lint -c cve binutils@2.33
> gnu/packages/base.scm:584:2: binutils@2.33.1: probably vulnerable to
> CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-
> 2020-35507
> 
> $ ./pre-inst-env guix lint -c cve binutils@2.34
> gnu/packages/base.scm:571:2: binutils@2.34: probably vulnerable to CVE-
> 2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020-
> 16599

> Because they are also build tools for GNU Guix itself, we can't fix
> this in grafts,

No, see next comment.

>  a review of each and every CVE can be made to evaluate
> whether we must fix it for GNU Guix's internal usage can be made, but
> also we should update it and not use any vulnerable version anywhere so
> we can be certain we didnt miss anything.

Guix itself only use binutils in the build containers, which (I presume)
have their own temporary directories, so this shouldn't be
relevant to Guix itself.  However, grafts are still important for
*developers*.  See my first comment block.

> Can binutils be upgraded just like that? Or must it be upgraded in
> tandem with GCC and friends?

I don't know, I guess you'll just have to try and read the release notes.
In any case, upgrading packages seems a good idea (as long as it doesn't
cause world-rebuild or bootstrapping issues of course), even if there
weren't any security issues -- perhaps something to do on core-updates?.

Thanks for looking into these potential security issues,

Greetings,
Maxime.


[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Thu Mar 13 14:43:17 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.