Bug#1035026: singularity-container: CVE-2023-30549

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1035026: singularity-container: CVE-2023-30549
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 27 Apr 2023 22:06:36 +0200
Message-id: <[🔎] 168262599644.414346.18172516130476235236.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1035026@bugs.debian.org

Source: singularity-container
Version: 3.11.0+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for singularity-container.
The issue originally reference for apptainer is affecting in same way
singularity.

CVE-2023-30549[0]:
| Apptainer is an open source container platform for Linux. There is an
| ext4 use-after-free flaw that is exploitable through versions of
| Apptainer &lt; 1.1.0, installations that include apptainer-suid &lt;
| 1.1.8, and all versions of Singularity in their default configurations
| on older operating systems where that CVE has not been patched. That
| includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the
| linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04
| focal. Use-after-free flaws in the kernel can be used to attack the
| kernel for denial of service and potentially for privilege escalation.
| Apptainer 1.1.8 includes a patch that by default disables mounting of
| extfs filesystem types in setuid-root mode, while continuing to allow
| mounting of extfs filesystems in non-setuid "rootless" mode using
| fuse2fs. Some workarounds are possible. Either do not install
| apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid
| = no` in apptainer.conf (or singularity.conf for singularity
| versions). This requires having unprivileged user namespaces enabled
| and except for apptainer 1.1.x versions will disallow mounting of sif
| files, extfs files, and squashfs files in addition to other, less
| significant impacts. (Encrypted sif files are also not supported
| unprivileged in apptainer 1.1.x.). Alternatively, use the `limit
| containers` options in apptainer.conf/singularity.conf to limit sif
| files to trusted users, groups, and/or paths, and set `allow container
| extfs = no` to disallow mounting of extfs overlay files. The latter
| option by itself does not disallow mounting of extfs overlay
| partitions inside SIF files, so that's why the former options are also
| needed.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-30549
    https://www.cve.org/CVERecord?id=CVE-2023-30549
[1] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg

Regards,
Salvatore

Reply to:

Prev by Date: Bug#1034992: slurm-wlm-rrd-plugin: missing Breaks+Replaces for slurm-wlm-basic-plugins when upgrading from bullseye
Previous by thread: Bug#1034992: slurm-wlm-rrd-plugin: missing Breaks+Replaces for slurm-wlm-basic-plugins when upgrading from bullseye
Index(es):
- Date
- Thread