{"id":"MGASA-2021-0341","summary":"Updated binutils packages fix security vulnerabilities","details":"This update provides binutils 2.36.1 and fixes at least the following security\nissues:\n\nThere's a flaw in the BFD library of binutils in versions before 2.36. An\nattacker who supplies a crafted file to an application linked with BFD, and\nusing the DWARF functionality, could cause an impact to system availability\nby way of excessive memory consumption (CVE-2021-3487).\n\nThere is an open race window when writing output in the following utilities\nin GNU binutils version 2.35 and earlier:ar, objcopy, strip, ranlib. When\nthese utilities are run as a privileged user (presumably as part of a script\nupdating binaries across different users), an unprivileged user can trick\nthese utilities into getting ownership of arbitrary files through a symlink\n(CVE-2021-20197).\n\nFor more info about the 2.36 update, see the sourceware link.\n","modified":"2026-04-16T00:09:53.524861407Z","published":"2021-07-12T20:26:21Z","upstream":["CVE-2021-20197","CVE-2021-3487"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0341.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28305"},{"type":"WEB","url":"https://sourceware.org/pipermail/binutils/2021-January/115071.html"}],"affected":[{"package":{"name":"binutils","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/binutils?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.36.1-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0341.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}