OpenSuSE has issued an advisory today (May 12): http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html Shlomi already fixed this in Cauldron on April 23. According to the upstream announcement of the security issue posted by Shlomi: http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html the symlink is created in $TMPDIR, which would be protected by the protected_symlinks feature in the kernel, and this would not be a security issue. Assigning to Shlomi for consideration of whether you want to issue an update for Mageia 4. Feel free to mark WONTFIX if not. Reproducible: Steps to Reproduce:
(In reply to David Walser from comment #0) > OpenSuSE has issued an advisory today (May 12): > http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html > > Shlomi already fixed this in Cauldron on April 23. > > According to the upstream announcement of the security issue posted by > Shlomi: > http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html > > the symlink is created in $TMPDIR, which would be protected by the > protected_symlinks feature in the kernel, and this would not be a security > issue. > > Assigning to Shlomi for consideration of whether you want to issue an update > for Mageia 4. Feel free to mark WONTFIX if not. > Can I upgrade the version of parallel in Mageia 4 to the new version , or should there be a patch? > Reproducible: > > Steps to Reproduce:
(In reply to Shlomi Fish from comment #1) > Can I upgrade the version of parallel in Mageia 4 to the new version , or > should there be a patch? OpenSuSE also updated it, I assume it's safe to do so. Also, that'd probably be the only real reason to issue an update.
Submitted to Mageia 4 core/updates_testing. Assigning to QA.
Assignee: shlomif => qa-bugs
Thanks. Not sure why you used 0.1 as the release tag though (should be 1). Suggested advisory: ---------------------------------------- The GNU parallel package has been updated to version 20150422, which contains a number of bug fixes, improvements and new features. It also fixes a symlink attack issue which should not be exploitable on Mageia as it is prevented by the kernel's protected_symlinks feature. References: http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html http://lists.gnu.org/archive/html/parallel/2015-04/msg00046.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- parallel-20150422-0.1.mga4 from parallel-20150422-0.1.mga4.src.rpm
Testing complete mga4 64 Executes commands in parallel. Some examples in the man page. Testing simply to give 'file' output on the current directory. # ls | parallel file 202d4eac55a158965f90468b35d0d9e1.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced 7adb03011a3636765f228afaaac03134.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced codes.lock: empty depcheck: Bourne-Again shell script, ASCII text executable codes.txt: ASCII text drakx/: directory tmp/: directory wget-1.14-4.2.mga4.i586.rpm: RPM v3.0 bin i386/x86_64 dead.letter: ASCII text strace.out: ASCII text, with very long lines wget-1.14-4.2.mga4.x86_64.rpm: RPM v3.0 bin
Whiteboard: (none) => has_procedure mga4-64-ok
Sorry, I hadn't updated it. The new version changes behaviour. # ls | parallel file Academic tradition requires you to cite works you base your article on. When using programs that use GNU Parallel to process data for publication please cite: O. Tange (2011): GNU Parallel - The Command-Line Power Tool, ;login: The USENIX Magazine, February 2011:42-47. This helps funding further development; and it won't cost you a cent. If you pay 10000 EUR you should feel free to use GNU Parallel without citing. To silence the citation notice: run 'parallel --bibtex'. 202d4eac55a158965f90468b35d0d9e1.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced 7adb03011a3636765f228afaaac03134.png: PNG image data, 75 x 35, 8-bit colormap, non-interlaced codes.lock: empty codes.txt: ASCII text depcheck: Bourne-Again shell script, ASCII text executable drakx/: directory tmp/: directory wget-1.14-4.2.mga4.i586.rpm: RPM v3.0 bin i386/x86_64 wget-1.14-4.2.mga4.x86_64.rpm: RPM v3.0 bin strace.out: ASCII text, with very long lines dead.letter: ASCII text
Whiteboard: has_procedure mga4-64-ok => has_procedure feedback
When run with --bibtex it then scrolls endlessly in "goto 10" fashion asking you to type "will cite", which you cannot do as it's scrolling way too quickly. Type: 'will cite' and press enter. > Type: 'will cite' and press enter. > ...etc Type: 'will cite' and press enter. > Type: 'will cite' and press enter. > Type: 'will cite' and press enter. ^C
# parallel --help Usage: parallel [options] [command [arguments]] < list_of_arguments parallel [options] [command [arguments]] (::: arguments|:::: argfile(s))... cat ... | parallel --pipe [options] [command [arguments]] -j n Run n jobs in parallel -k Keep same order -X Multiple arguments with context replace --colsep regexp Split input on regexp for positional replacements {} {.} {/} {/.} {#} {%} {= perl code =} Replacement strings {3} {3.} {3/} {3/.} {=3 perl code =} Positional replacement strings With --plus: {} = {+/}/{/} = {.}.{+.} = {+/}/{/.}.{+.} = {..}.{+..} = {+/}/{/..}.{+..} = {...}.{+...} = {+/}/{/...}.{+...} -S sshlogin Example: foo@server.example.com --slf .. Use ~/.parallel/sshloginfile as the list of sshlogins --trc {}.bar Shorthand for --transfer --return {}.bar --cleanup --onall Run the given command with argument on all sshlogins --nonall Run the given command with no arguments on all sshlogins --pipe Split stdin (standard input) to multiple jobs. --recend str Record end separator for --pipe. --recstart str Record start separator for --pipe. See 'man parallel' for details Academic tradition requires you to cite works you base your article on. When using programs that use GNU Parallel to process data for publication please cite: O. Tange (2011): GNU Parallel - The Command-Line Power Tool, ;login: The USENIX Magazine, February 2011:42-47. This helps funding further development; and it won't cost you a cent. If you pay 10000 EUR you should feel free to use GNU Parallel without citing.
The scrolling was due to the piping from ls. When run alone as 'parallel --bibtex' it shows.. # parallel --bibtex Academic tradition requires you to cite works you base your article on. When using programs that use GNU Parallel to process data for publication please cite: @article{Tange2011a, title = {GNU Parallel - The Command-Line Power Tool}, author = {O. Tange}, address = {Frederiksberg, Denmark}, journal = {;login: The USENIX Magazine}, month = {Feb}, number = {1}, volume = {36}, url = {http://www.gnu.org/s/parallel}, year = {2011}, pages = {42-47} doi = {10.5281/zenodo.16303} } (Feel free to use \nocite{Tange2011a}) This helps funding further development; and it won't cost you a cent. If you pay 10000 EUR you should feel free to use GNU Parallel without citing. If you send a copy of your published article to tange@gnu.org, it will be mentioned in the release notes of next version of GNU Parallel. Type: 'will cite' and press enter. > will cite Thank you for your support. It is much appreciated. The citation notice is now silenced. You may also use '--will-cite'. If you use '--will-cite' in scripts you are expected to pay the 10000 EUR, because you are making it harder to see the citation notice.
http://lists.gnu.org/archive/html/parallel/2013-11/msg00006.html
And.. http://lists.gnu.org/archive/html/parallel/2013-11/msg00010.html from somebody called "Shlomi Fish" *shrug*
CC: (none) => shlomif
The release announcement for 20150422 noted that it only fixed the issue for certain, but not all, cases. 20150522 has now been released, as noted by Shlomi on the dev list, fixing the rest of the cases: http://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html If we update this, we should use that version.
Summary: parallel new symlink attack issue fixed upstream in 20150422 => parallel new symlink attack issue fixed upstream in 20150522
Also, Mageia 5 shipped with 20150422, so if we update this, it will be needed there as well. I suppose we may actually decide that it's only worth updating the Mageia 5 package.
Whiteboard: has_procedure feedback => has_procedure feedback MGA5TOO MGA4TOOVersion: 4 => Cauldron
Assigning back to the maintainer for now.
CC: shlomif => qa-bugsAssignee: qa-bugs => shlomif
parallel-20150522-1.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: has_procedure feedback MGA5TOO MGA4TOO => has_procedure feedback
parallel-20150522 was uploaded to 4/updates_testing. Assigning to QA for testing. Please test.
CC: qa-bugs => shlomif
OpenSuSE has issued an advisory for this on May 29: http://lists.opensuse.org/opensuse-updates/2015-05/msg00090.html Suggested advisory: ---------------------------------------- The GNU parallel package has been updated to version 20150422, which contains a number of bug fixes, improvements and new features. It also fixes a symlink attack issue which should not be exploitable on Mageia as it is prevented by the kernel's protected_symlinks feature. References: http://lists.gnu.org/archive/html/parallel/2015-04/msg00045.html http://lists.gnu.org/archive/html/parallel/2015-04/msg00046.html http://lists.gnu.org/archive/html/parallel/2015-05/msg00024.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00012.html http://lists.opensuse.org/opensuse-updates/2015-05/msg00090.html ---------------------------------------- Updated packages in core/updates_testing: ---------------------------------------- parallel-20150522-0.1.mga4 from parallel-20150522-0.1.mga4.src.rpm
Whiteboard: has_procedure feedback => has_procedure
MGA4-32 on AcerD620 Xfce. No installation issues. First issued > parallel --bibtex to get rid of the citation output then > ls | parallel file shows the contents of my home dir OK.
Whiteboard: has_procedure => has_procedure MGA4-32-OKCC: (none) => herman.viaene
MGA4-64 on HP-Probook 6555b KDE. No installation issues. First issued > parallel --bibtex to get rid of the citation output then > ls | parallel file shows the contents of my home dir OK.
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2015-0055.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
LWN reference for the additional fixes in 20150522: http://lwn.net/Vulnerabilities/685005/
I see four screens of suggestions for structuring an argument and improving the writing, followed by 8 screens of lecture on proper citation form and margins. https://writemyessaytoday.net
CC: (none) => markwadekjej
The latest versions http://geometrydash-best.com
CC: (none) => aricjoshua44
CC: aricjoshua44, markwadekjej => (none)
CC: (none) => nillremilton
CC: nillremilton => davidwhodgins
Before deciding on the choice of service, one should get information about the uniqueness of completed papers. For example, the high identity of an essay or any other https://www.bestcustomwriting.com/write-my-paper-using-apa-style that the expert uses an individual approach to complete the task
CC: (none) => banasher336