binutils (SL7)

Synopsis: Moderate: binutils security update
Advisory ID: SLSA-2021:4033-1
Issue Date: 2021-11-02
CVE Numbers: CVE-2021-42574

Security Fix(es):

* Developer environment: Unicode’s bidirectional (BiDi) override
characters can cause trojan source attacks (CVE-2021-42574)

The following changes were introduced in binutils in order to facilitate
detection of BiDi Unicode characters:

Tools which display names or strings (readelf, strings, nm, objdump) have
a new command line option –unicode / -U which controls how Unicode
characters are handled.

Using “–unicode=default” will treat them as normal for the tool. This is
the default behaviour when –unicode option is not used. Using “–
unicode=locale” will display them according to the current locale. Using
“–unicode=hex” will display them as hex byte values. Using “–
unicode=escape” will display them as Unicode escape sequences. Using “–
unicode=highlight” will display them as Unicode escape sequences
highlighted in red, if supported by the output device.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE

– binutils-2.27-44.base.el7_9.1.x86_64.rpm
– binutils-debuginfo-2.27-44.base.el7_9.1.i686.rpm
– binutils-debuginfo-2.27-44.base.el7_9.1.x86_64.rpm
– binutils-devel-2.27-44.base.el7_9.1.i686.rpm
– binutils-devel-2.27-44.base.el7_9.1.x86_64.rpm

– Scientific Linux Development Team