On 2/10/21 11:56 PM, Genes Lists via arch-general wrote:

Thanks for the update Levente.

You should thank the whole Security Team, this announcement was a team effort :)

Separately, I also note that you briefly put 2.36.1 in testing but then pulled it. AM curious what your thinking was around that version as well (seems to be different issues [1])

thanks.

gene

[1] https://sourceware.org/pipermail/binutils/2021-February/115240.html

It had a similar but different result in changed ownership. Files that got stripped had the ownership of the builduser, which in case of official packages was uid 1001. This would mean that, on a multi user system, uid 1001 would have been able to change arbitrary libraries or binaries on the system leading to privilege boundary violation and privilege escalation. You can find more details about the binutils 2.36.1 behavior in our incident pad [0] (also created and updated by the whole team). This pad will soon be made more readable and published as incident response writeup. cheers, Levente [0] https://md.archlinux.org/TAiOYgKzQl-1cJxDaQlB_g