Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778545 (CVE-2021-20197, CVE-2021-20284, CVE-2021-20294, CVE-2021-3487) - <sys-devel/binutils-2.36.1-r1 : multiple vulnerabilities (CVE-2021-{3487,20197,20284,20294})
Summary: <sys-devel/binutils-2.36.1-r1 : multiple vulnerabilities (CVE-2021-{3487,2019...
Status: IN_PROGRESS
Alias: CVE-2021-20197, CVE-2021-20284, CVE-2021-20294, CVE-2021-3487
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 809059
Blocks:
  Show dependency tree
 
Reported: 2021-03-27 04:19 UTC by John Helmert III
Modified: 2021-09-25 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-27 04:19:00 UTC
CVE-2021-20197 (https://sourceware.org/bugzilla/show_bug.cgi?id=26945):

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.

CVE-2021-20284 (https://sourceware.org/bugzilla/show_bug.cgi?id=26931):

A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.
Comment 1 John Helmert III gentoo-dev Security 2021-04-17 23:12:31 UTC
CVE-2021-3487:

There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=26946
Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=647cebce12a6b0a26960220caff96ff38978cf24
Comment 2 John Helmert III gentoo-dev Security 2021-06-24 03:13:04 UTC
CVE-2021-20294:

A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2021-07-08 21:02:24 UTC
> CVE-2021-20197 (https://sourceware.org/bugzilla/show_bug.cgi?id=26945):
> 
> There is an open race window when writing output in the following utilities
> in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When
> these utilities are run as a privileged user (presumably as part of a script
> updating binaries across different users), an unprivileged user can trick
> these utilities into getting ownership of arbitrary files through a symlink.

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-20284 (https://sourceware.org/bugzilla/show_bug.cgi?id=26931):
> 
> A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer
> overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the
> number of symbols not calculated correctly. The highest threat from this
> vulnerability is to system availability.

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-3487:
> 
> There's a flaw in the BFD library of binutils in versions before 2.36. An
> attacker who supplies a crafted file to an application linked with BFD, and
> using the DWARF functionality, could cause an impact to system availability
> by way of excessive memory consumption.
> 
> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=26946
> Patch:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=647cebce12a6b0a26960220caff96ff38978cf24

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-20294:
> 
> A flaw was found in binutils readelf 2.35 program. An attacker who is able
> to convince a victim using readelf to read a crafted file could trigger a
> stack buffer overflow, out-of-bounds write of arbitrary data supplied by the
> attacker. The highest impact of this flaw is to confidentiality, integrity,
> and availability.
https://sourceware.org/bugzilla/show_bug.cgi?id=26929

Fixed in Gentoo binutils-2.36.1-r1
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:23:27 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:31:50 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:39:44 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:47:55 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:03:51 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:12:10 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2021-09-25 19:21:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6d6f7b7b7209257f1a9f4760ca4e132e1571600

commit d6d6f7b7b7209257f1a9f4760ca4e132e1571600
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2021-09-25 19:07:19 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2021-09-25 19:21:19 +0000

    package.mask: Update binutils mask to <2.36.1-r2
    
    Bug: https://bugs.gentoo.org/778545
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 John Helmert III gentoo-dev Security 2021-09-25 19:23:24 UTC
Thanks dilfridge \o/