Bug 15917 - parallel new symlink attack issue fixed upstream in 20150522
Summary: parallel new symlink attack issue fixed upstream in 20150522
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/644045/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-12 19:17 CEST by David Walser
Modified: 2022-04-21 21:21 CEST (History)
5 users (show)

See Also:
Source RPM: parallel-20130722-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-12 19:17:02 CEST
OpenSuSE has issued an advisory today (May 12):
http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html

Shlomi already fixed this in Cauldron on April 23.

According to the upstream announcement of the security issue posted by Shlomi:
http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html

the symlink is created in $TMPDIR, which would be protected by the protected_symlinks feature in the kernel, and this would not be a security issue.

Assigning to Shlomi for consideration of whether you want to issue an update for Mageia 4.  Feel free to mark WONTFIX if not.

Reproducible: 

Steps to Reproduce:
Comment 1 Shlomi Fish 2015-05-13 14:14:26 CEST
(In reply to David Walser from comment #0)
> OpenSuSE has issued an advisory today (May 12):
> http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html
> 
> Shlomi already fixed this in Cauldron on April 23.
> 
> According to the upstream announcement of the security issue posted by
> Shlomi:
> http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html
> 
> the symlink is created in $TMPDIR, which would be protected by the
> protected_symlinks feature in the kernel, and this would not be a security
> issue.
> 
> Assigning to Shlomi for consideration of whether you want to issue an update
> for Mageia 4.  Feel free to mark WONTFIX if not.
> 

Can I upgrade the version of parallel in Mageia 4 to the new version , or should there be a patch?

> Reproducible: 
> 
> Steps to Reproduce:
Comment 2 David Walser 2015-05-13 14:19:03 CEST
(In reply to Shlomi Fish from comment #1)
> Can I upgrade the version of parallel in Mageia 4 to the new version , or
> should there be a patch?

OpenSuSE also updated it, I assume it's safe to do so.  Also, that'd probably be the only real reason to issue an update.
Comment 3 Shlomi Fish 2015-05-13 16:26:02 CEST
Submitted to Mageia 4 core/updates_testing. Assigning to QA.

Assignee: shlomif => qa-bugs

Comment 4 David Walser 2015-05-13 16:34:27 CEST
Thanks.  Not sure why you used 0.1 as the release tag though (should be 1).

Suggested advisory:
----------------------------------------

The GNU parallel package has been updated to version 20150422, which contains
a number of bug fixes, improvements and new features.

It also fixes a symlink attack issue which should not be exploitable on Mageia
as it is prevented by the kernel's protected_symlinks feature.

References:
http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html
http://lists.gnu.org/archive/html/parallel/2015-04/msg00046.html
http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
parallel-20150422-0.1.mga4

from parallel-20150422-0.1.mga4.src.rpm
Comment 5 claire robinson 2015-05-13 18:45:55 CEST
Testing complete mga4 64

Executes commands in parallel. Some examples in the man page.
Testing simply to give 'file' output on the current directory.

# ls | parallel file
202d4eac55a158965f90468b35d0d9e1.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced
7adb03011a3636765f228afaaac03134.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced
codes.lock: empty
depcheck: Bourne-Again shell script, ASCII text executable
codes.txt: ASCII text
drakx/: directory
tmp/: directory
wget-1.14-4.2.mga4.i586.rpm: RPM v3.0 bin i386/x86_64
dead.letter: ASCII text
strace.out: ASCII text, with very long lines
wget-1.14-4.2.mga4.x86_64.rpm: RPM v3.0 bin

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 6 claire robinson 2015-05-13 18:48:27 CEST
Sorry, I hadn't updated it.

The new version changes behaviour.

# ls | parallel file
Academic tradition requires you to cite works you base your article on.
When using programs that use GNU Parallel to process data for publication
please cite:

  O. Tange (2011): GNU Parallel - The Command-Line Power Tool,
  ;login: The USENIX Magazine, February 2011:42-47.

This helps funding further development; and it won't cost you a cent.
If you pay 10000 EUR you should feel free to use GNU Parallel without citing.

To silence the citation notice: run 'parallel --bibtex'.

202d4eac55a158965f90468b35d0d9e1.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced
7adb03011a3636765f228afaaac03134.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced
codes.lock: empty
codes.txt: ASCII text
depcheck: Bourne-Again shell script, ASCII text executable
drakx/: directory
tmp/: directory
wget-1.14-4.2.mga4.i586.rpm: RPM v3.0 bin i386/x86_64
wget-1.14-4.2.mga4.x86_64.rpm: RPM v3.0 bin
strace.out: ASCII text, with very long lines
dead.letter: ASCII text

Whiteboard: has_procedure mga4-64-ok => has_procedure feedback

Comment 7 claire robinson 2015-05-13 18:52:46 CEST
When run with --bibtex it then scrolls endlessly in "goto 10" fashion asking you to type "will cite", which you cannot do as it's scrolling way too quickly.

Type: 'will cite' and press enter.
> 
Type: 'will cite' and press enter.
> 

...etc

Type: 'will cite' and press enter.
> 
Type: 'will cite' and press enter.
> 
Type: 'will cite' and press enter.
^C
Comment 8 claire robinson 2015-05-13 18:54:08 CEST
# parallel --help
Usage:

parallel [options] [command [arguments]] < list_of_arguments
parallel [options] [command [arguments]] (::: arguments|:::: argfile(s))...
cat ... | parallel --pipe [options] [command [arguments]]

-j n            Run n jobs in parallel
-k              Keep same order
-X              Multiple arguments with context replace
--colsep regexp Split input on regexp for positional replacements
{} {.} {/} {/.} {#} {%} {= perl code =} Replacement strings
{3} {3.} {3/} {3/.} {=3 perl code =}    Positional replacement strings
With --plus:    {} = {+/}/{/} = {.}.{+.} = {+/}/{/.}.{+.} = {..}.{+..} =
                {+/}/{/..}.{+..} = {...}.{+...} = {+/}/{/...}.{+...}

-S sshlogin     Example: foo@server.example.com
--slf ..        Use ~/.parallel/sshloginfile as the list of sshlogins
--trc {}.bar    Shorthand for --transfer --return {}.bar --cleanup
--onall         Run the given command with argument on all sshlogins
--nonall        Run the given command with no arguments on all sshlogins

--pipe          Split stdin (standard input) to multiple jobs.
--recend str    Record end separator for --pipe.
--recstart str  Record start separator for --pipe.

See 'man parallel' for details

Academic tradition requires you to cite works you base your article on.
When using programs that use GNU Parallel to process data for publication
please cite:

  O. Tange (2011): GNU Parallel - The Command-Line Power Tool,
  ;login: The USENIX Magazine, February 2011:42-47.

This helps funding further development; and it won't cost you a cent.
If you pay 10000 EUR you should feel free to use GNU Parallel without citing.
Comment 9 claire robinson 2015-05-13 19:06:34 CEST
The scrolling was due to the piping from ls.

When run alone as 'parallel --bibtex' it shows..

# parallel --bibtex
Academic tradition requires you to cite works you base your article on.
When using programs that use GNU Parallel to process data for publication
please cite:

@article{Tange2011a,
 title = {GNU Parallel - The Command-Line Power Tool},
 author = {O. Tange},
 address = {Frederiksberg, Denmark},
 journal = {;login: The USENIX Magazine},
 month = {Feb},
 number = {1},
 volume = {36},
 url = {http://www.gnu.org/s/parallel},
 year = {2011},
 pages = {42-47}
 doi = {10.5281/zenodo.16303}
}

(Feel free to use \nocite{Tange2011a})

This helps funding further development; and it won't cost you a cent.
If you pay 10000 EUR you should feel free to use GNU Parallel without citing.

If you send a copy of your published article to tange@gnu.org, it will be
mentioned in the release notes of next version of GNU Parallel.


Type: 'will cite' and press enter.
> will cite

Thank you for your support. It is much appreciated. The citation
notice is now silenced. You may also use '--will-cite'.
If you use '--will-cite' in scripts you are expected to pay
the 10000 EUR, because you are making it harder to see the
citation notice.
Comment 11 claire robinson 2015-05-13 19:21:00 CEST
And..

http://lists.gnu.org/archive/html/parallel/2013-11/msg00010.html

from somebody called "Shlomi Fish" *shrug*
claire robinson 2015-05-13 19:22:02 CEST

CC: (none) => shlomif

Comment 12 David Walser 2015-05-26 03:06:37 CEST
The release announcement for 20150422 noted that it only fixed the issue for certain, but not all, cases.  20150522 has now been released, as noted by Shlomi on the dev list, fixing the rest of the cases:
http://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html

If we update this, we should use that version.

Summary: parallel new symlink attack issue fixed upstream in 20150422 => parallel new symlink attack issue fixed upstream in 20150522

Comment 13 David Walser 2015-05-26 03:07:39 CEST
Also, Mageia 5 shipped with 20150422, so if we update this, it will be needed there as well.  I suppose we may actually decide that it's only worth updating the Mageia 5 package.

Whiteboard: has_procedure feedback => has_procedure feedback MGA5TOO MGA4TOO
Version: 4 => Cauldron

Comment 14 David Walser 2015-05-26 03:08:08 CEST
Assigning back to the maintainer for now.

CC: shlomif => qa-bugs
Assignee: qa-bugs => shlomif

Comment 15 David Walser 2015-05-26 14:47:29 CEST
parallel-20150522-1.mga5 uploaded for Cauldron.

Version: Cauldron => 4
Whiteboard: has_procedure feedback MGA5TOO MGA4TOO => has_procedure feedback

Comment 16 Shlomi Fish 2015-05-29 09:33:45 CEST
parallel-20150522 was uploaded to 4/updates_testing. Assigning to QA for testing. Please test.

Assignee: shlomif => qa-bugs

David Walser 2015-05-29 14:43:37 CEST

CC: qa-bugs => shlomif

Comment 17 David Walser 2015-06-01 23:42:23 CEST
OpenSuSE has issued an advisory for this on May 29:
http://lists.opensuse.org/opensuse-updates/2015-05/msg00090.html

Suggested advisory:
----------------------------------------

The GNU parallel package has been updated to version 20150422, which contains
a number of bug fixes, improvements and new features.

It also fixes a symlink attack issue which should not be exploitable on Mageia
as it is prevented by the kernel's protected_symlinks feature.

References:
http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html
http://lists.gnu.org/archive/html/parallel/2015-04/msg00046.html
http://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html
http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html
http://lists.opensuse.org/opensuse-updates/2015-05/msg00090.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
parallel-20150522-0.1.mga4

from parallel-20150522-0.1.mga4.src.rpm

Whiteboard: has_procedure feedback => has_procedure

Comment 18 Herman Viaene 2015-06-08 14:12:26 CEST
MGA4-32 on AcerD620 Xfce.
No installation issues.
First issued 
> parallel --bibtex
to get rid of the citation output
then
> ls | parallel file
shows the contents of my home dir OK.

Whiteboard: has_procedure => has_procedure MGA4-32-OK
CC: (none) => herman.viaene

Comment 19 Herman Viaene 2015-06-08 14:16:09 CEST
MGA4-64 on HP-Probook 6555b KDE.
No installation issues.
First issued 
> parallel --bibtex
to get rid of the citation output
then
> ls | parallel file
shows the contents of my home dir OK.

Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 20 claire robinson 2015-06-08 21:19:55 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 21 Mageia Robot 2015-06-08 23:45:48 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0055.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 22 David Walser 2016-04-25 19:05:29 CEST
LWN reference for the additional fixes in 20150522:
http://lwn.net/Vulnerabilities/685005/
Comment 23 Bethany Griggs 2020-08-21 09:52:55 CEST Comment hidden (spam)

CC: (none) => markwadekjej

Comment 24 aric joshua 2021-02-23 08:14:51 CET Comment hidden (spam)

CC: (none) => aricjoshua44

Aurelien Oudelet 2021-02-23 08:35:26 CET

CC: aricjoshua44, markwadekjej => (none)

portaitheap portaitheap 2022-01-24 19:43:28 CET

CC: (none) => nillremilton

Dave Hodgins 2022-01-24 20:36:42 CET

CC: nillremilton => davidwhodgins

Comment 26 Martin Daert 2022-04-21 21:21:28 CEST Comment hidden (spam)

CC: (none) => banasher336


Note You need to log in before you can comment on or make changes to this bug.