From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UMnHMrOGOmIiHwEAgWs5BA (envelope-from ) for ; Wed, 23 Mar 2022 03:32:19 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id iOweMLOGOmIf7gAA9RJhRA (envelope-from ) for ; Wed, 23 Mar 2022 03:32:19 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6BFC51099B for ; Wed, 23 Mar 2022 03:32:19 +0100 (CET) Received: from localhost ([::1]:53534 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nWqnK-000194-JE for larch@yhetil.org; Tue, 22 Mar 2022 22:32:18 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43348) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nWqn4-0000xE-QB for bug-guix@gnu.org; Tue, 22 Mar 2022 22:32:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48365) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nWqn4-000095-HS for bug-guix@gnu.org; Tue, 22 Mar 2022 22:32:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nWqn4-0000FQ-EI for bug-guix@gnu.org; Tue, 22 Mar 2022 22:32:02 -0400 Subject: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others) Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Date: Wed, 23 Mar 2022 02:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 47420 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxime Devos Mail-Followup-To: 47420@debbugs.gnu.org, maxim.cournoyer@gmail.com, lle-bout@zaclys.net Received: via spool by 47420-done@debbugs.gnu.org id=D47420.164800267731151 (code D ref 47420); Wed, 23 Mar 2022 02:32:02 +0000 Received: (at 47420-done) by debbugs.gnu.org; 23 Mar 2022 02:31:17 +0000 Received: from localhost ([127.0.0.1]:42259 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqmL-00086A-Ca for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:31:17 -0400 Received: from mail-qt1-f170.google.com ([209.85.160.170]:41586) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqmJ-00080K-Ee for 47420-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:31:15 -0400 Received: by mail-qt1-f170.google.com with SMTP id d15so168993qty.8 for <47420-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:31:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=EB/mamltYkuAFQCcwPdazjFsjRoVX3YhMMD1BV3+tUs=; b=PWIjeKZyQXrzZSNqZ6pEUAFGsclfKk20UMvqQY4Dnhw+npCb+QBRWOWbXNmYIV8Qt8 ovUqbxStKniu2Ppa0kt7KeN3n5suKeNnXYl/VsTZzwOvaLStUHvtE5BmOIBtT34piUmu XIK6YllREpYbwQ8NKqdsy7+/gCpjjxMUkZR2/LwWrsAhB7U/fSS/4XOJ/iX2pnJgZ7TT dqdpwkuav+/fgG8YUOoPiGWgAT1Fv+IbOWbGCDW7Kr3Zal+ZJyevk6MD2G0DsEkvdPpC vCXvMA1721RO8IhrvDetKIo2rQyintoUE4RqD7gVPWPKjKiIhWTvY86Py9LLTxHRb7Za ZkNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=EB/mamltYkuAFQCcwPdazjFsjRoVX3YhMMD1BV3+tUs=; b=H249+xfmjLYRJC09nGowssmOgcsCcIYy5NAntTIEy9bSVx5c0cbX+mrFpN8nl/wOUe Y2Rc7M/WgDvoBJ2iu38vlzC6faOxayG+jGonotbJSALm5/sIit8hzv2V+HQ9lHm/m0+g +eatlYwjY09vFH7TeZykcZcgSZPpDxNFTInLN5Aeo6d340rpT+sZuZoNjciwC0N35qtA yeEG0Ro3hKSJQbR9ggBT5kybQkcsCRafr0Nm1NJVIvK+D8MgJL5h7fZu1KfpcKCcD7LU QHhNy6TNN/fgz3MTyvQSlr5Mb85TkZ/mAlQNp6jlAN6oLe/KZ2MUwyjgqwKRTrR/n1jb mM8w== X-Gm-Message-State: AOAM533PTQhQzst2k7a2mmRVD2WFliqo3TJ18zM7qTCpvzVXVvyTjz7y VHvjRyHzy00VvbczHEh3huZST08rW0k= X-Google-Smtp-Source: ABdhPJxlJ18Cy3wj+59Tbq4SbL1SlcdCNjY50KjfwdK3QH42X6ACnAS5XyjESJNOtCAgAVZ/nahKnQ== X-Received: by 2002:ac8:5a10:0:b0:2e1:cab4:2066 with SMTP id n16-20020ac85a10000000b002e1cab42066mr22152654qta.199.1648002669814; Tue, 22 Mar 2022 19:31:09 -0700 (PDT) Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199]) by smtp.gmail.com with ESMTPSA id u21-20020ae9c015000000b0067d4b2e1050sm9858416qkk.55.2022.03.22.19.31.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 19:31:08 -0700 (PDT) From: Maxim Cournoyer References: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net> Date: Tue, 22 Mar 2022 22:31:06 -0400 In-Reply-To: (Maxime Devos's message of "Sat, 27 Mar 2021 00:00:40 +0100") Message-ID: <87czid1jth.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47420-done@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648002739; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-to: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=EB/mamltYkuAFQCcwPdazjFsjRoVX3YhMMD1BV3+tUs=; b=T0iLAjk7riS3D3SfLeJQcx6XfNxtZgIlkFwTri1rULCyvzTeORGobRXdIH6o14OTGuvBhu QMSwORaKmYpjSpC2Xd7v4um0NGYpyeQQS1jy7w/2J+KqcW9z4Vomet9k4dMXYX9rqtDYSX sp0Xm/o1m927DiQl4hAQOvOUvMuXV7TZSBGM8gKL3a84dpd2vw2reUblDA51c5Q62W7OLN j7v5mhJRDnwfVMKOLzGgTLq8G2ae2pGIlgMDqzKLTeIH3VK8hqm/UoQpk5wSM8y3/qT0qj BgO+OjvWynF+2RHPrBm0y8L/0l3q+ZO3wPbopHDe/bpaN9ikZdu5Jn/54nGcVA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648002739; a=rsa-sha256; cv=none; b=bNZNa8u9x45OzV+pRnyiI4/RVzFId44ufgQGspSzzDeuyJwmB/wzt+cPENsBFLf36wA/2q 3eePOmp6l5hos+1OD98O1XcK28Q9gQ9DoBRI2HcEaNa5xFV7dvljEwpxoUJ/oraX+FYYCq gH3JDBtTpHIY2HEvgydY6yrQZcq9osTcrynQ6BkcjJEkywFJSHiSwcJSsbH7DzM3Qferpx QBo3YXPhmZOPO1ZlxdZ+BIAO1rUgvkIelO4Gu1Itq6bXTYdurEt98eR0oYrDMy1hND1k1U eJCwcL1Tr7hXoS3UGtz06CEsd9xWXFXFGTgLpUYC3hAH0H5aCvbRLRbB+cxgtg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=PWIjeKZy; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 5.90 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=PWIjeKZy; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 6BFC51099B X-Spam-Score: 5.90 X-Migadu-Scanner: scn1.migadu.com X-TUID: He1el+14w7qI Hi, Maxime Devos writes: > On Fri, 2021-03-26 at 21:41 +0100, L=C3=A9o Le Bouter via Bug reports for= GNU Guix wrote: >> CVE-2021-20197 18:15 >> There is an open race window when writing output in the following >> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, >> ranlib. When these utilities are run as a privileged user (presumably >> as part of a script updating binaries across different users), an >> unprivileged user can trick these utilities into getting ownership of >> arbitrary files through a symlink. Our current version of binutilsis now 2.37, immune to the CVE reported here. Thanks for the report! Closing. Maxim