parallel: CVE-2015-4155 CVE-2015-4156

Debian Bug report logs - #787954
parallel: CVE-2015-4155 CVE-2015-4156

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: parallel: CVE-2015-4155 CVE-2015-4156

Date: Sat, 06 Jun 2015 22:28:33 +0200

Source: parallel
Version: 20120422-1
Severity: normal
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for parallel.

CVE-2015-4155[0]:
| GNU Parallel before 20150422, when using (1) --pipe, (2) --tmux, (3)
| --cat, (4) --fifo, or (5) --compress, allows local users to write to
| arbitrary files via a symlink attack on a temporary file.

CVE-2015-4156[1]:
| GNU Parallel before 20150522 (Nepal), when using (1) --cat or (2)
| --fifo with --sshlogin, allows local users to write to arbitrary files
| via a symlink attack on a temporary file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-4155
[1] https://security-tracker.debian.org/tracker/CVE-2015-4156

Regards,
Salvatore

Message #10 received at 787954@bugs.debian.org (full text, mbox, reply):

From: Rogério Brito <rbrito@ime.usp.br>

To: Salvatore Bonaccorso <carnil@debian.org>, 787954@bugs.debian.org

Subject: Re: Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156

Date: Mon, 8 Jun 2015 00:44:58 -0300

Dear Salvatore.

On Jun 06 2015, Salvatore Bonaccorso wrote:
> Source: parallel
> Version: 20120422-1
> Severity: normal
> Tags: security upstream fixed-upstream
(...)

Thanks for the report.

How should I proceed to fix the non-sid versions of the package?

Fixing it in unstable is simple enough that I can essentially just upload a
new version, but how should coordination with the other releases go, since I
saw that the bug affects both stable and oldstable.


Thanks for the pointers once again,

-- 
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br

Message #15 received at 787954@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Rogério Brito <rbrito@ime.usp.br>

Cc: 787954@bugs.debian.org

Subject: Re: Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156

Date: Mon, 8 Jun 2015 06:26:34 +0200

Hi Rogério,

On Mon, Jun 08, 2015 at 12:44:58AM -0300, Rogério Brito wrote:
> On Jun 06 2015, Salvatore Bonaccorso wrote:
> > Source: parallel
> > Version: 20120422-1
> > Severity: normal
> > Tags: security upstream fixed-upstream
> (...)
> 
> Thanks for the report.
> 
> How should I proceed to fix the non-sid versions of the package?

Thanks for the quick reply already. I these issues do not warrant a
DSA on it's own for stable and oldstable. But it would surely be nice
to have them fixed as well there through a (old-)stable proposed
update. Could you contact the release team for this?
> 
> Fixing it in unstable is simple enough that I can essentially just upload a
> new version, but how should coordination with the other releases go, since I
> saw that the bug affects both stable and oldstable.

Yes, just go ahead with the new upstream version for unstable which
addresses both CVEs.

Thanks a lot for your work!

Regards,
Salvatore

Message #20 received at 787954-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 787954-close@bugs.debian.org

Subject: Bug#787954: fixed in parallel 20161222-1

Date: Sat, 31 Dec 2016 13:48:41 +0000

Source: parallel
Source-Version: 20161222-1

We believe that the bug you reported is fixed in the latest version of
parallel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 787954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated parallel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 31 Dec 2016 14:24:10 +0100
Source: parallel
Binary: parallel
Architecture: source all
Version: 20161222-1
Distribution: unstable
Urgency: medium
Maintainer: Rogério Brito <rbrito@ime.usp.br>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
 parallel   - build and execute command lines from standard input in parallel
Closes: 749355 787954 813639 815952
Changes:
 parallel (20161222-1) unstable; urgency=medium
 .
   [ Rogério Brito ]
   * New upstream version 20161122.
     + Fixes CVE-2015-4155 and CVE-2015-4156. (Closes: #787954)
   * debian/gbp.conf:
     + Avoid warning by renaming section from git-import-orig to import-orig.
     + Avoid warning by renaming section from git-dch to dch.
   * debian/control:
     + Depend on procps. (Closes: #815952)
     + Remove conflicts with moreutils. Thanks to Ian Jackson for the
       suggestion and many others for the discussions.  (Closes: #749355)
     + Substitute dependency on perl-modules with simple perl.
     + Fix Vcs-* URLs to point to new, cgit HTTPS locations.
 .
   [ Ondřej Surý ]
   * Imported Upstream version 20161222 (Closes: #813639)
Checksums-Sha1:
 b785177fd310a67e78267ebfece57135a0ba3096 2071 parallel_20161222-1.dsc
 00b110f1759fa2fcc54ad62e84b15fe013fffaca 1408567 parallel_20161222.orig.tar.bz2
 419a4705a9d87e8ff695abb912ce72ab9d8f895b 18856 parallel_20161222-1.debian.tar.xz
 cb73c4b94614e4046f605613d6618d2b5d08d7d0 306798 parallel_20161222-1_all.deb
 efdbd326635fcc57bdfc5f1ba03e6b5eeb80be61 4928 parallel_20161222-1_amd64.buildinfo
Checksums-Sha256:
 9d6f46e2b55026cdf56a6acf2da5e5a212d6f9bf94d777cfe322be39a3f1a8d2 2071 parallel_20161222-1.dsc
 2714be9b6957ce6ddb268e8aa97f463d8eac97e55612cc055ef030afd9c80fb2 1408567 parallel_20161222.orig.tar.bz2
 a1f45066d41f6e2c2c54dc270ab20361b0ec3e60075c55e1f086c09840ad45ff 18856 parallel_20161222-1.debian.tar.xz
 3fc62e5ceb22bb76951fea47ee50c9a3fb86a89654a9b79a75bb1a28719d4513 306798 parallel_20161222-1_all.deb
 df8ff6038407afd05265d2dce66febf606ec1728a72c9b6b37a589b29cd34759 4928 parallel_20161222-1_amd64.buildinfo
Files:
 69322263a3b83f757a1320a796024785 2071 utils extra parallel_20161222-1.dsc
 1e5752dfd407df6e27ca1c65cf2642f8 1408567 utils extra parallel_20161222.orig.tar.bz2
 c834fe61a6aaf28b1a8ac1e6b36f7de6 18856 utils extra parallel_20161222-1.debian.tar.xz
 d6bd3a30c2970c095e1a4dbeec878ca4 306798 utils extra parallel_20161222-1_all.deb
 b1f820edb48409a7553df36b33c24664 4928 utils extra parallel_20161222-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJYZ7QrXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHlaIP/jf5nan0bS4hKFMRxbpdV577
NEGv01w9cbCe7N0OfdjgEhD6gPVLGg3NmI0MU87zMQfGxwaidUDEe1yQVzQEteNC
MeNOuPzkrisVoeJrgQyNcuHde30hN7TKcCocN4bTZGol52SAffmlEpG+Lkkzc5S+
g9Qbv75l3EjB4aS8ZXyBc69Rdzpuv+T+p8rGW7MZrh4VYAIatf0/g1HK0nwm5dcC
7/AXCYUo1Yi3tMoQyI6Mg2srF562hUAe/eU3WHSpxMp/Q8yPVWb7bqaso5hz9p2t
brKnonEnAuG9PSH+LKU/4ZiewjH1B0yekAedf6O//WMrk99WEn6eEMVPi9JkbApF
m5ahqSvXrD0fa7BWvYRPD/TCDmq6k/+Aqf5AFx4v4ResCIbNEGg8qkbDjpUNpfb8
0ENbp9YZ27ktR7TXwgChT4a+NHhl/5hV+nUoNKbUU6XKDkrqTywAt9DdH9qzqIgJ
5ASNB+8J1CnzfwSynx11GNmmLykrfYNXDKqOb8oN5GTsj/pezucWpvQ/BefoblDt
rnYUkYRpQDU6ye5P7vOJPbf+RGhZ/uETCD6QYKWGlLKkM9wPFZe/FlK5jPbGPSgn
7nHZ7mmUpYjHBEKeSvyuIrUDE2a3dnlHI/+n26Ede4Oxu0GNT7SGQZaTiB/oczdw
yrWDVwWdiM/Mpq4rTXFY
=9FzA
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.