Bug 928664 (CVE-2015-4155) - VUL-1: CVE-2015-4155: gnu_parallel: local file overwrite through symlink vulnerability
Summary: VUL-1: CVE-2015-4155: gnu_parallel: local file overwrite through symlink vuln...
Status: RESOLVED FIXED
Alias: CVE-2015-4155
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2015-4156
  Show dependency treegraph
 
Reported: 2015-04-26 19:38 UTC by Andreas Stieger
Modified: 2015-06-03 08:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-26 19:38:25 UTC 
The GNU parallel 20150422 release notes read as follows:
http://savannah.gnu.org/forum/forum.php?forum_id=8261

Security fix. An attacker on the local system could make you overwrite one of your own files with a single byte. The problem exist when you use --compress or --tmux or --pipe or --cat or --fifo. The attacker must figure out the randomly chosen file name and create a symlink within a time window of 15 ms.

openSUSE:13.1                           gnu_parallel  20130722
openSUSE:13.2                           gnu_parallel  20140722
openSUSE:Factory                        gnu_parallel  20150322
utilities                               gnu_parallel  20150322
Comment 1 Swamp Workflow Management 2015-04-26 22:00:14 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-04-27 08:24:08 UTC 
Affects openSUSE only.
Comment 3 Bernhard Wiedemann 2015-04-28 14:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (928664) was mentioned in
https://build.opensuse.org/request/show/304400 13.2 / gnu_parallel
https://build.opensuse.org/request/show/304401 13.1 / gnu_parallel
Comment 4 Swamp Workflow Management 2015-05-12 15:06:18 UTC 
openSUSE-SU-2015:0856-1: An update that contains security fixes can now be installed.

Category: security (low)
Bug References: 928664
CVE References: 
Sources used:
openSUSE 13.2 (src):    gnu_parallel-20150422-2.3.1
openSUSE 13.1 (src):    gnu_parallel-20150422-2.3.1
Comment 5 Andreas Stieger 2015-05-23 19:10:44 UTC 
released