Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778545 (CVE-2021-20197, CVE-2021-20284, CVE-2021-20294, CVE-2021-3487) - <sys-devel/binutils-2.36.1-r1 : multiple vulnerabilities (CVE-2021-{3487,20197,20284,20294})
Summary: <sys-devel/binutils-2.36.1-r1 : multiple vulnerabilities (CVE-2021-{3487,2019...
Status: CONFIRMED
Alias: CVE-2021-20197, CVE-2021-20284, CVE-2021-20294, CVE-2021-3487
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [stable wait]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-27 04:19 UTC by John Helmert III
Modified: 2021-07-29 18:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-27 04:19:00 UTC
CVE-2021-20197 (https://sourceware.org/bugzilla/show_bug.cgi?id=26945):

There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.

CVE-2021-20284 (https://sourceware.org/bugzilla/show_bug.cgi?id=26931):

A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the number of symbols not calculated correctly. The highest threat from this vulnerability is to system availability.
Comment 1 John Helmert III gentoo-dev Security 2021-04-17 23:12:31 UTC
CVE-2021-3487:

There's a flaw in the BFD library of binutils in versions before 2.36. An attacker who supplies a crafted file to an application linked with BFD, and using the DWARF functionality, could cause an impact to system availability by way of excessive memory consumption.

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=26946
Patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=647cebce12a6b0a26960220caff96ff38978cf24
Comment 2 John Helmert III gentoo-dev Security 2021-06-24 03:13:04 UTC
CVE-2021-20294:

A flaw was found in binutils readelf 2.35 program. An attacker who is able to convince a victim using readelf to read a crafted file could trigger a stack buffer overflow, out-of-bounds write of arbitrary data supplied by the attacker. The highest impact of this flaw is to confidentiality, integrity, and availability.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2021-07-08 21:02:24 UTC
> CVE-2021-20197 (https://sourceware.org/bugzilla/show_bug.cgi?id=26945):
> 
> There is an open race window when writing output in the following utilities
> in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When
> these utilities are run as a privileged user (presumably as part of a script
> updating binaries across different users), an unprivileged user can trick
> these utilities into getting ownership of arbitrary files through a symlink.

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-20284 (https://sourceware.org/bugzilla/show_bug.cgi?id=26931):
> 
> A flaw was found in GNU Binutils 2.35.1, where there is a heap-based buffer
> overflow in _bfd_elf_slurp_secondary_reloc_section in elf.c due to the
> number of symbols not calculated correctly. The highest threat from this
> vulnerability is to system availability.

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-3487:
> 
> There's a flaw in the BFD library of binutils in versions before 2.36. An
> attacker who supplies a crafted file to an application linked with BFD, and
> using the DWARF functionality, could cause an impact to system availability
> by way of excessive memory consumption.
> 
> Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=26946
> Patch:
> https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;
> h=647cebce12a6b0a26960220caff96ff38978cf24

Fixed in Gentoo binutils-2.36.1-r1


> CVE-2021-20294:
> 
> A flaw was found in binutils readelf 2.35 program. An attacker who is able
> to convince a victim using readelf to read a crafted file could trigger a
> stack buffer overflow, out-of-bounds write of arbitrary data supplied by the
> attacker. The highest impact of this flaw is to confidentiality, integrity,
> and availability.
https://sourceware.org/bugzilla/show_bug.cgi?id=26929

Fixed in Gentoo binutils-2.36.1-r1
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:23:27 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:31:50 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:39:44 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:47:55 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:03:51 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:12:10 UTC
Package list is empty or all packages have requested keywords.