[arch-general] strip command of binutils 2.36 changes ownership in fakeroot 1.25.3

Levente Polyak anthraxx at archlinux.org
Wed Feb 10 23:05:25 UTC 2021

On 2/10/21 11:56 PM, Genes Lists via arch-general wrote:
> Thanks for the update Levente.
You should thank the whole Security Team, this announcement was a team
effort :)

> Separately, I also note that you briefly put 2.36.1 in testing but then
> pulled it. AM curious what your thinking was around that version as well
> (seems to be different issues [1])
> thanks.
> gene
> [1] https://sourceware.org/pipermail/binutils/2021-February/115240.html

It had a similar but different result in changed ownership. Files that
got stripped had the ownership of the builduser, which in case of
official packages was uid 1001. This would mean that, on a multi user
system, uid 1001 would have been able to change arbitrary libraries or
binaries on the system leading to privilege boundary violation and
privilege escalation.

You can find more details about the binutils 2.36.1 behavior in our
incident pad [0] (also created and updated by the whole team). This pad
will soon be made more readable and published as incident response writeup.


[0] https://md.archlinux.org/TAiOYgKzQl-1cJxDaQlB_g

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20210211/c12fd435/attachment.sig>

More information about the arch-general mailing list