[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others)
From: |
Maxim Cournoyer |
Subject: |
bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others) |
Date: |
Tue, 22 Mar 2022 22:31:06 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Maxime Devos <maximedevos@telenet.be> writes:
> On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix
> wrote:
>> CVE-2021-20197 18:15
>> There is an open race window when writing output in the following
>> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
>> ranlib. When these utilities are run as a privileged user (presumably
>> as part of a script updating binaries across different users), an
>> unprivileged user can trick these utilities into getting ownership of
>> arbitrary files through a symlink.
Our current version of binutilsis now 2.37, immune to the CVE reported
here.
Thanks for the report!
Closing.
Maxim
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others),
Maxim Cournoyer <=