From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 26 16:41:32 2021 Received: (at submit) by debbugs.gnu.org; 26 Mar 2021 20:41:32 +0000 Received: from localhost ([127.0.0.1]:42618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtGt-0002Is-Qa for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:41:32 -0400 Received: from lists.gnu.org ([209.51.188.17]:58216) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPtGs-0002Il-KK for submit@debbugs.gnu.org; Fri, 26 Mar 2021 16:41:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPtGs-0005en-9K for bug-guix@gnu.org; Fri, 26 Mar 2021 16:41:30 -0400 Received: from mail.zaclys.net ([178.33.93.72]:54763) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPtGp-0007Q7-J0 for bug-guix@gnu.org; Fri, 26 Mar 2021 16:41:29 -0400 Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38]) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12QKfOMl009514 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 26 Mar 2021 21:41:24 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12QKfOMl009514 Authentication-Results: mail.zaclys.net; dmarc=fail (p=reject dis=none) header.from=zaclys.net Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616791284; bh=PAz5eH5dR70EQ4IYaki03UgvN47z6WiA3uzbsxJ2zCA=; h=Subject:From:To:Date:From; b=gb0s5bP74VC/U7qpWSjuWrAUxHN6/+NSAfZIQIcrLpN8NS4FwO4l0NyYLaVIwZMPJ JyNgSuk4iTlNVmgNNm8IH1m2Wpxy617EXEEVX/gFOFF12ThOihugGX3tZ41wIyhxAV 9izK+XHNKApt/UPry45y17otI5GIs51oy48oW7Dc= Message-ID: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net> Subject: binutils is vulnerable to CVE-2021-20197 (and various others) From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: bug-guix@gnu.org Date: Fri, 26 Mar 2021 21:41:20 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-j5FKG5V+VjaTh3Lnpq4o" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-j5FKG5V+VjaTh3Lnpq4o Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-20197 18:15 There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink. For the two versions packaged in GNU Guix we have: $ ./pre-inst-env guix lint -c cve binutils@2.33 gnu/packages/base.scm:584:2: binutils@2.33.1: probably vulnerable to CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE- 2020-35507 $ ./pre-inst-env guix lint -c cve binutils@2.34 gnu/packages/base.scm:571:2: binutils@2.34: probably vulnerable to CVE- 2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020- 16599 Because they are also build tools for GNU Guix itself, we can't fix this in grafts, a review of each and every CVE can be made to evaluate whether we must fix it for GNU Guix's internal usage can be made, but also we should update it and not use any vulnerable version anywhere so we can be certain we didnt miss anything. Can binutils be upgraded just like that? Or must it be upgraded in tandem with GCC and friends? Thank you, L=C3=A9o --=-j5FKG5V+VjaTh3Lnpq4o Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBeRvAACgkQRaix6GvN EKZ8kRAAmAZr1kxoMaGXvAHujdj5yLe4s9U1+YqhBaUr4KI3bU0WKWZfy/+8vERb aDx453sxQFvIRW0g9DpwsJzL9n0+oft+g9C1KYaLgp63w6lhp0cdtkGKDJdYaJyE UulAS/F9W0OrWvp0uDeUikeBuAtniJ8lweApZn6VeMcfQ/WCIIMJ39lZ48mbKYhZ UZXnyQGAEi4Jt+I7pEeoi+TBPeDIuN4YU4mivBiMMgrLnWZdEP1jKywBa5Lukb6G xMlmpkMdye8m8sTbuAmfZJ2IXvjcpwE3NgU05q6n6vOvuHyLuhSJJ5uOltob9I04 HD1UeQOTGvaaDqNBFPpiM5v3abKJKv4ZjHD/MMXdUykAzAsDs93Ls7J5QF6avmu/ ysfJpJNDNSy90Kld3e6VqO4P181Q3+kIVkzyeqbHOe6Md+FVuc7wMNl/oPy92H10 zfcduy1klfSqqgPAUidL75Voti90mttPhAX7SYn7J2nwt0W2NJpbindrXhJwTX0j hbMAJDs0Osh+6StB3BDSsLknx3SN/Frj0UGf8UlelovASAarO9CmJ6W/w/5JPRkK Yk/Npe2iejEzj+GbRhTZH9W5UMchdyoWS5UZw0eY2ArT/g0xdtdqdteKovnla4b0 wai92AvvIuubGc7FeyA5qs788L8u4zhaPrYWiaVQQORUejGvzNM= =jnN8 -----END PGP SIGNATURE----- --=-j5FKG5V+VjaTh3Lnpq4o--