GNU bug report logs - #47420
binutils is vulnerable to CVE-2021-20197 (and various others)

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Fri, 26 Mar 2021 20:42:01 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47420 in the body.
You can then email your comments to 47420 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#47420; Package guix. (Fri, 26 Mar 2021 20:42:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Fri, 26 Mar 2021 20:42:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: binutils is vulnerable to CVE-2021-20197 (and various others)
Date: Fri, 26 Mar 2021 21:41:20 +0100
[Message part 1 (text/plain, inline)]
CVE-2021-20197	18:15
There is an open race window when writing output in the following
utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
ranlib. When these utilities are run as a privileged user (presumably
as part of a script updating binaries across different users), an
unprivileged user can trick these utilities into getting ownership of
arbitrary files through a symlink.

For the two versions packaged in GNU Guix we have:

$ ./pre-inst-env guix lint -c cve binutils <at> 2.33
gnu/packages/base.scm:584:2: binutils <at> 2.33.1: probably vulnerable to
CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-
2020-35507

$ ./pre-inst-env guix lint -c cve binutils <at> 2.34
gnu/packages/base.scm:571:2: binutils <at> 2.34: probably vulnerable to CVE-
2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020-
16599

Because they are also build tools for GNU Guix itself, we can't fix
this in grafts, a review of each and every CVE can be made to evaluate
whether we must fix it for GNU Guix's internal usage can be made, but
also we should update it and not use any vulnerable version anywhere so
we can be certain we didnt miss anything.

Can binutils be upgraded just like that? Or must it be upgraded in
tandem with GCC and friends?

Thank you,
Léo
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Fri, 26 Mar 2021 20:56:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#47420; Package guix. (Fri, 26 Mar 2021 21:57:01 GMT) Full text and rfc822 format available.

Message #10 received at 47420 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: 47420 <at> debbugs.gnu.org
Subject: Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and
 various others)
Date: Fri, 26 Mar 2021 22:56:32 +0100
[Message part 1 (text/plain, inline)]
Another:

CVE-2021-20284	18:15
A flaw was found in GNU Binutils 2.35.1, where there is a heap-based
buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due
to the number of symbols not calculated correctly. The highest threat
from this vulnerability is to system availability.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#47420; Package guix. (Fri, 26 Mar 2021 23:01:02 GMT) Full text and rfc822 format available.

Message #13 received at 47420 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Léo Le Bouter <lle-bout <at> zaclys.net>, 
 47420 <at> debbugs.gnu.org
Subject: Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and
 various others)
Date: Sat, 27 Mar 2021 00:00:40 +0100
[Message part 1 (text/plain, inline)]
On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-20197	18:15
> There is an open race window when writing output in the following
> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
> ranlib. When these utilities are run as a privileged user (presumably
> as part of a script updating binaries across different users), an
> unprivileged user can trick these utilities into getting ownership of
> arbitrary files through a symlink.

At first I thought -- why would anyone run the binutils as root (or other
privileged user)?  Isn't it only used for *compiling* stuff?  But then
I looked at the actual bug report:

  https://sourceware.org/bugzilla/show_bug.cgi?id=26945

Apparently creating temporary files isn't done quite correctly.
IIUC, on a shared guix system, a malicious user could use this bug
to change the binary that would normally result from the innocent
user running "./configure && make" into something controlled
by the malicious user.

Question: if I run "guix environment guix", do I get the packages
normally used for building guix as-is, or the grafted versions?
When I run "guix environment emacs", I see two lines "applying $N grafts",
so I assume the latter.

> For the two versions packaged in GNU Guix we have:
> 
> $ ./pre-inst-env guix lint -c cve binutils <at> 2.33
> gnu/packages/base.scm:584:2: binutils <at> 2.33.1: probably vulnerable to
> CVE-2020-35493, CVE-2020-35494, CVE-2020-35495, CVE-2020-35496, CVE-
> 2020-35507
> 
> $ ./pre-inst-env guix lint -c cve binutils <at> 2.34
> gnu/packages/base.scm:571:2: binutils <at> 2.34: probably vulnerable to CVE-
> 2020-16590, CVE-2020-16591, CVE-2020-16592, CVE-2020-16593, CVE-2020-
> 16599

> Because they are also build tools for GNU Guix itself, we can't fix
> this in grafts,

No, see next comment.

>  a review of each and every CVE can be made to evaluate
> whether we must fix it for GNU Guix's internal usage can be made, but
> also we should update it and not use any vulnerable version anywhere so
> we can be certain we didnt miss anything.

Guix itself only use binutils in the build containers, which (I presume)
have their own temporary directories, so this shouldn't be
relevant to Guix itself.  However, grafts are still important for
*developers*.  See my first comment block.

> Can binutils be upgraded just like that? Or must it be upgraded in
> tandem with GCC and friends?

I don't know, I guess you'll just have to try and read the release notes.
In any case, upgrading packages seems a good idea (as long as it doesn't
cause world-rebuild or bootstrapping issues of course), even if there
weren't any security issues -- perhaps something to do on core-updates?.

Thanks for looking into these potential security issues,

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]

Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:32:02 GMT) Full text and rfc822 format available.

Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:32:02 GMT) Full text and rfc822 format available.

Message #18 received at 47420-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Maxime Devos <maximedevos <at> telenet.be>
Cc: 47420-done <at> debbugs.gnu.org,
 Léo Le Bouter <lle-bout <at> zaclys.net>
Subject: Re: bug#47420: binutils is vulnerable to CVE-2021-20197 (and
 various others)
Date: Tue, 22 Mar 2022 22:31:06 -0400
Hi,

Maxime Devos <maximedevos <at> telenet.be> writes:

> On Fri, 2021-03-26 at 21:41 +0100, Léo Le Bouter via Bug reports for GNU Guix wrote:
>> CVE-2021-20197	18:15
>> There is an open race window when writing output in the following
>> utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip,
>> ranlib. When these utilities are run as a privileged user (presumably
>> as part of a script updating binaries across different users), an
>> unprivileged user can trick these utilities into getting ownership of
>> arbitrary files through a symlink.

Our current version of binutilsis now 2.37, immune to the CVE reported
here.

Thanks for the report!

Closing.

Maxim




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:07 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 344 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.