From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id S0k+OstnXmABdgAAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 00:01:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +HoINMtnXmBzbwAAB5/wlQ (envelope-from ) for ; Fri, 26 Mar 2021 23:01:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2F05D1332F for ; Sat, 27 Mar 2021 00:01:31 +0100 (CET) Received: from localhost ([::1]:44946 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lPvSL-0008Ii-N7 for larch@yhetil.org; Fri, 26 Mar 2021 19:01:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:39470) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lPvRu-0008HH-C8 for bug-guix@gnu.org; Fri, 26 Mar 2021 19:01:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59518) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lPvRu-00066M-4O for bug-guix@gnu.org; Fri, 26 Mar 2021 19:01:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lPvRu-0002SF-2B for bug-guix@gnu.org; Fri, 26 Mar 2021 19:01:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47420: binutils is vulnerable to CVE-2021-20197 (and various others) Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 26 Mar 2021 23:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47420 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: =?UTF-8?Q?L=C3=A9o?= Le Bouter , 47420@debbugs.gnu.org Received: via spool by 47420-submit@debbugs.gnu.org id=B47420.16167996559002 (code B ref 47420); Fri, 26 Mar 2021 23:01:02 +0000 Received: (at 47420) by debbugs.gnu.org; 26 Mar 2021 23:00:55 +0000 Received: from localhost ([127.0.0.1]:42831 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvRm-0002Kl-NW for submit@debbugs.gnu.org; Fri, 26 Mar 2021 19:00:55 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:55664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lPvRk-0002HZ-FY for 47420@debbugs.gnu.org; Fri, 26 Mar 2021 19:00:53 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id lB0q2400E0mfAB401B0qpM; Sat, 27 Mar 2021 00:00:50 +0100 Message-ID: From: Maxime Devos Date: Sat, 27 Mar 2021 00:00:40 +0100 In-Reply-To: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net> References: <669bea321d23f39ac5bb902dc930f4056f07ec78.camel@zaclys.net> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-azZwH7wqmdIpOucP6VQJ" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1616799650; bh=IS0il8aCHn1RBWV0iqIf6pOIjIqC3p9FY6B8q6PMWkA=; h=Subject:From:To:Date:In-Reply-To:References; b=XQG7NQUkgGPL6MLiyjtOLVNHBviHZJOOyMu6hcTQ6IHXjzuyi/PF+n9ovBxPJ3Exc 94g4uhJHJpsYQwfYvSP0HxI2PlHZy9nsYY5uph1gw4KdwUJKv/z3dbGCZit5MdyZNW tOzIY11S22VhuI6E3PnPh3wjSAQazMuHh2l4JFJ4sE14Lw5XPrv4tDUlKmQgmsgBYe lI5n/zIe40JSAQknyzjeaUADC6SPyhJIGUZpT42qkJammwDT1k8ysGe5Y/FGYIykRE F7TMlVx6n1ANU1thgc2OyId5xBR68cqeqh6jLlB1G/6hOamGD7svD9PnhQliAWVJ5K 3p/F8VKu7ArqQ== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616799691; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=IS0il8aCHn1RBWV0iqIf6pOIjIqC3p9FY6B8q6PMWkA=; b=hio4hDCtXvFkZUpKqtwpoyponHGLWA8sQbQuAwopb4bxxCaGGsE0Vorh2C5tIaVt2f/Iuw m9btWdDkR7xRemLACiF+hGcWQxBYVe5jpw/8JO1J5rNDDaMnKewjowUNTCmWgA0tJQTFhc kb/xuG2JjXaPr5SppONdo0lz8QkkNHJX5U8oai3ieTzLdbKYg72p5Unh45bzYnrqLuV4fy CAUPVu3GJifgeXGEXgcXnTr/mT5AzWSh+jNXjGiSiE7Dte2zAJlV4dA5qIXEOL2pTZs2Vi b+htDSnKo/fqm0gXFO1IMUTR+9kyBoNT/tyYSZtbUVLKGE1NnJa+X5vOf1l5oA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616799691; a=rsa-sha256; cv=none; b=fBL1rY5O4kTEbq0sTKGLS1KCqN+EMwXWr87RxqLlYJiUFbn9wqX+L69M4cbYMm4LM1spAa B6WBp86mM5zkS/3ljrycX3hA9yRjQYs9LRm5fhLUX/v+ysN4sUoXKPouWf9IcVcKD+g2k/ RyDn+fZonoaO8y0cuk4tvYI3g9jUjN9fSOcxwkZKels8yYxusGEaXhS47BoRcODHOqhOtt sD/apgjqF5KoBT4tY3b+jFa2jYEqeNFYQXenGYESB0mNJRj/EaRjveVFF3X28DrRLdqwD+ Fxbn0fHSkRMupVKM6oIC5EZYZ0rTv8vAZEvAq0uMyWDJXAfVdMaqiswDSGwgrw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=XQG7NQUk; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=XQG7NQUk; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 2F05D1332F X-Spam-Score: -3.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: gsEWL8xP4vnQ --=-azZwH7wqmdIpOucP6VQJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2021-03-26 at 21:41 +0100, L=C3=A9o Le Bouter via Bug reports for G= NU Guix wrote: > CVE-2021-20197 18:15 > There is an open race window when writing output in the following > utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, > ranlib. When these utilities are run as a privileged user (presumably > as part of a script updating binaries across different users), an > unprivileged user can trick these utilities into getting ownership of > arbitrary files through a symlink. At first I thought -- why would anyone run the binutils as root (or other privileged user)? Isn't it only used for *compiling* stuff? But then I looked at the actual bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=3D26945 Apparently creating temporary files isn't done quite correctly. IIUC, on a shared guix system, a malicious user could use this bug to change the binary that would normally result from the innocent user running "./configure && make" into something controlled by the malicious user. Question: if I run "guix environment guix", do I get the packages normally used for building guix as-is, or the grafted versions? When I run "guix environment emacs", I see two lines "applying $N grafts", so I assume the latter. > For the two versions packaged in GNU Guix we have: >=20 > $ ./pre-inst-env guix lint -c cve binutils@2.33 > gnu/packages/base.scm:584:2: binutils@2.33.1: probably vulnerable to > CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE- > 2020-35507 >=20 > $ ./pre-inst-env guix lint -c cve binutils@2.34 > gnu/packages/base.scm:571:2: binutils@2.34: probably vulnerable to CVE- > 2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020- > 16599 > Because they are also build tools for GNU Guix itself, we can't fix > this in grafts, No, see next comment. > a review of each and every CVE can be made to evaluate > whether we must fix it for GNU Guix's internal usage can be made, but > also we should update it and not use any vulnerable version anywhere so > we can be certain we didnt miss anything. Guix itself only use binutils in the build containers, which (I presume) have their own temporary directories, so this shouldn't be relevant to Guix itself. However, grafts are still important for *developers*. See my first comment block. > Can binutils be upgraded just like that? Or must it be upgraded in > tandem with GCC and friends? I don't know, I guess you'll just have to try and read the release notes. In any case, upgrading packages seems a good idea (as long as it doesn't cause world-rebuild or bootstrapping issues of course), even if there weren't any security issues -- perhaps something to do on core-updates?. Thanks for looking into these potential security issues, Greetings, Maxime. --=-azZwH7wqmdIpOucP6VQJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYF5nmBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7k+PAQDTGO4qOQLRqmaQr72wSZvWxDNQ AsiSw2Kt30W4AoVzVQEA6Oho2QtrfIFFs/vF6Ijq/WJOkVtHeZeqcInN6HzeEQU= =aPRn -----END PGP SIGNATURE----- --=-azZwH7wqmdIpOucP6VQJ--