bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others)


From: Maxim Cournoyer
Subject: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others)
Date: Tue, 22 Mar 2022 22:31:06 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)

Hi,

Maxime Devos <maximedevos@telenet.be> writes:

> On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix 
> wrote:
>> CVE-2021-20197       18:15
>> There is an open race window when writing output in the following
>> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
>> ranlib. When these utilities are run as a privileged user (presumably
>> as part of a script updating binaries across different users), an
>> unprivileged user can trick these utilities into getting ownership of
>> arbitrary files through a symlink.

Our current version of binutilsis now 2.37, immune to the CVE reported
here.

Thanks for the report!

Closing.

Maxim





reply via email to

[Prev in Thread] Current Thread [Next in Thread]