CVE-2021-20197

Name of the Vulnerable Software and Affected Versions GNU Binutils versions 2.35 and earlier

Description The issue is related to an open race window when writing output in certain utilities, including ar, objcopy, strip, and ranlib. This can be exploited by an unprivileged user to trick these utilities into gaining ownership of arbitrary files through a symlink, potentially allowing privilege escalation. The utilities are vulnerable when run as a privileged user, such as part of a script updating binaries across different users.

Recommendations For GNU Binutils versions 2.35 and earlier, consider restricting the use of the vulnerable utilities (ar, objcopy, strip, and ranlib) when run as a privileged user to minimize the risk of exploitation. Avoid using these utilities in scripts that update binaries across different users until a fix is available. As a temporary workaround, consider disabling the use of symlinks in these utilities until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.