GNU bug report logs

#47420 binutils is vulnerable to CVE-2021-20197 (and various others)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 20:41:32 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:41:32 2021
Received: from localhost ([127.0.0.1]:42618 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lPtGt-0002Is-Qa
	for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:41:32 -0400
Received: from lists.gnu.org ([209.51.188.17]:58216)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lPtGs-0002Il-KK
 for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:41:30 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37888)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lPtGs-0005en-9K
 for bug-guix@gnu.org; Fri, 26 Mar 2021 16:41:30 -0400
Received: from mail.zaclys.net ([178.33.93.72]:54763)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lPtGp-0007Q7-J0
 for bug-guix@gnu.org; Fri, 26 Mar 2021 16:41:29 -0400
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QKfOMl009514
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Fri, 26 Mar 2021 21:41:24 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QKfOMl009514
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1616791284;
 bh=PAz5eH5dR70EQ4IYaki03UgvN47z6WiA3uzbsxJ2zCA=;
 h=Subject:From:To:Date:From;
 b=gb0s5bP74VC/U7qpWSjuWrAUxHN6/+NSAfZIQIcrLpN8NS4FwO4l0NyYLaVIwZMPJ
 JyNgSuk4iTlNVmgNNm8IH1m2Wpxy617EXEEVX/gFOFF12ThOihugGX3tZ41wIyhxAV
 9izK+XHNKApt/UPry45y17otI5GIs51oy48oW7Dc=
Message-ID: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net>
Subject: binutils is vulnerable to CVE-2021-20197 (and various others)
From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Fri, 26 Mar 2021 21:41:20 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-j5FKG5V+VjaTh3Lnpq4o"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
CVE-2021-20197	18:15
There is an open race window when writing output in the following
utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
ranlib. When these utilities are run as a privileged user (presumably
as part of a script updating binaries across different users), an
unprivileged user can trick these utilities into getting ownership of
arbitrary files through a symlink.

For the two versions packaged in GNU Guix we have:

$ ./pre-inst-env guix lint -c cve binutils@2.33
gnu/packages/base.scm:584:2: binutils@2.33.1: probably vulnerable to
CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-
2020-35507

$ ./pre-inst-env guix lint -c cve binutils@2.34
gnu/packages/base.scm:571:2: binutils@2.34: probably vulnerable to CVE-
2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020-
16599

Because they are also build tools for GNU Guix itself, we can't fix
this in grafts, a review of each and every CVE can be made to evaluate
whether we must fix it for GNU Guix's internal usage can be made, but
also we should update it and not use any vulnerable version anywhere so
we can be certain we didnt miss anything.

Can binutils be upgraded just like that? Or must it be upgraded in
tandem with GCC and friends?

Thank you,
Léo

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Thu Mar 13 14:31:59 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.