[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929042: singularity-container: CVE-2019-11328

Source: singularity-container
Version: 3.1.1+ds-1
Severity: grave
Tags: security upstream


The following vulnerability was published for singularity-container.

| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious
| user with local/network access to the host system (e.g. ssh) could
| exploit this vulnerability due to insecure permissions allowing a user
| to edit files within
| `/run/singularity/instances/sing/<user>/<instance>`. The
| manipulation of those files can change the behavior of the starter-
| suid program when instances are joined resulting in potential
| privilege escalation on the host.

Could you furthermore check, is this only introduced in the 3.1.0
series really or just are those the versions checked for the issue,
but earlier versions might be affected as well?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11328

Please adjust the affected versions in the BTS as needed.


Reply to: