CVE-2021-20197 log

Severity Medium
Remote No
Type Arbitrary filesystem access
There is an open race window when writing output in the following utilities in GNU binutils: ar, objcopy, strip, ranlib. When these utilities are run as a privileged user (presumably as part of a script updating binaries across different users), an unprivileged user can trick these utilities into getting ownership of arbitrary files through a symlink. The issue was fixed in binutils version 2.36, but subsequently the fix was partly reverted in version 2.36.1 because it was causing issues with the file archiver "ar". The full fix is queued to be included in version 2.36.2.
Group Package Affected Fixed Severity Status Ticket
AVG-1540 binutils 2.36.1-3 Medium Vulnerable