Bug 29615

Summary: binutils new security issue CVE-2021-42574
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Base system maintainers <basesystem>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: mageia, marja11, nicolas.salguero, olelukoie, tmb
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=29616
https://bugs.mageia.org/show_bug.cgi?id=29820
Whiteboard:
Source RPM: binutils-2.37-17.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-11-01 14:13:29 CET 
RedHat has issued an advisory today (November 1):
https://access.redhat.com/errata/RHSA-2021:4033

Mageia 8 is also affected.
David Walser 2021-11-01 14:18:32 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29616

Comment 1 Marja Van Waes 2021-11-01 17:31:55 CET 
Assigning to the base system maintainers, CC'ing the registered maintainer

Assignee: bugsquad => basesystem
CC: (none) => marja11, tmb

Comment 2 Oleg Bosis 2021-11-02 08:43:43 CET 
Why have you mentioned binutils and rust only? This security problem affects all programming languages. Some other discussions and patches:

GCC: https://gcc.gnu.org/pipermail/gcc-patches/2021-November/583031.html
(implements -Wbidirectional that probably should be enabled by default?)

LLVM/CLANG: https://reviews.llvm.org/D112913
(looks like adding specific check to clang-tydy?)

Python: https://www.mail-archive.com/python-dev@python.org/msg114237.html
(additional PEP?)

CC: (none) => olelukoie

Comment 3 Nicolas Lécureuil 2021-11-02 09:22:32 CET 
yes seems that this CVE touches a lot of packages/Languages

CC: (none) => mageia

Comment 4 David Walser 2021-11-02 10:55:01 CET 
I've only filed bugs for things I was aware of.  Feel free to file bugs on the other affected packages.  Not all bugs have to filed by me.
Comment 5 Nicolas Lécureuil 2021-11-02 11:53:30 CET 
it seems quite difficult to find all.

As David said, don't hesitate to open bugreports ( or add here ) for more infos about this CVE
Comment 6 David Walser 2021-11-02 23:09:32 CET 
Let's keep this bug about binutils, but please feel free to file separate bugs for the other affected packages.
Comment 7 Oleg Bosis 2021-11-04 07:35:36 CET 
(In reply to David Walser from comment #6)
> file separate bugs for the other affected packages.

All programming languages, code editors and IDEs with Unicode's bidi support (i.e. just all) are affected so there is no sense to create separate bug reports.

May be it's better to create a common bug report with a list of obvious well known affected packages and then adding separate reports for non-obvious ones as it's "Blocks"/"Depends on" "children"...
Comment 8 David Walser 2021-11-04 11:41:45 CET 
Ultimately the bug reports are only going to be useful if we can do something with them, i.e. if the software in question actually has a fix available, so we can wait until that happens before filing additional bugs.
Comment 9 David Walser 2021-11-10 15:17:05 CET 
RedHat has issued an advisory for this today (November 10):
https://access.redhat.com/errata/RHSA-2021:4595

Whiteboard: (none) => MGA8TOO

Comment 10 Oleg Bosis 2021-11-10 19:19:04 CET 
RH have common bug report for all affected tools with references for all available advisories and patches (including binutils, GCC & Rust):

https://bugzilla.redhat.com/show_bug.cgi?id=2005819
David Walser 2021-12-27 18:54:00 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29820

Comment 11 Thomas Backlund 2023-06-27 18:19:28 CEST 
fixed in cauldron since binutils 2.38

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 12 Nicolas Salguero 2024-01-12 09:31:55 CET 
Mageia 8 EOL

CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Resolution: (none) => OLD