CVE-2021-20197
Published: 26 March 2021
There is an open race window when writing output in the following utilities in GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink.
Notes
Author | Note |
---|---|
mdeslaur | commits below are from 2.36 branch. At some point, commits were reverted and then reinstated later on. The list below doesn't include the added and reverted commits. These changes are quite intrusive to backport, are regression- prone and may introduce regressions in other packages. For this reason we will not be fixing this issue in stable releases. |
Priority
Status
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.3 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
References
Bugs
- https://sourceware.org/bugzilla/show_bug.cgi?id=26945
- https://sourceware.org/bugzilla/show_bug.cgi?id=27270 (regression)
- https://sourceware.org/bugzilla/show_bug.cgi?id=27284 (regression)
- https://sourceware.org/bugzilla/show_bug.cgi?id=27456 (regression)
- https://bugzilla.redhat.com/show_bug.cgi?id=1951278#c3 (regression)