Bug#929042: closed by Afif Elghraoui <afif@debian.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)

To: 929042@bugs.debian.org
Subject: Bug#929042: closed by Afif Elghraoui <afif@debian.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 15 May 2019 22:57:49 +0200
Message-id: <[🔎] 20190515205749.GA11236@eldamar.local>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 929042@bugs.debian.org
In-reply-to: <handler.929042.D929042.15579534947623.notifdone@bugs.debian.org>
References: <485AEDE8-7653-49DA-97EC-BE9FD454B33C@debian.org> <[🔎] 155795219437.6863.11846723040576750109.reportbug@eldamar.local> <handler.929042.D929042.15579534947623.notifdone@bugs.debian.org> <[🔎] 155795219437.6863.11846723040576750109.reportbug@eldamar.local>

Hi Afif,

On Wed, May 15, 2019 at 08:54:03PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:singularity-container package:
> 
> #929042: singularity-container: CVE-2019-11328
> 
> It has been closed by Afif Elghraoui <afif@debian.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Afif Elghraoui <afif@debian.org> by
> replying to this email.
> 
> 
> -- 
> 929042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929042
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems

> Date: Wed, 15 May 2019 16:51:24 -0400
> From: Afif Elghraoui <afif@debian.org>
> To: 929042-done@bugs.debian.org
> Subject: Re: Bug#929042: singularity-container: CVE-2019-11328
> User-Agent: K-9 Mail for Android
> Message-ID: <485AEDE8-7653-49DA-97EC-BE9FD454B33C@debian.org>
> 
> Control: notfound -1 3.1.1+ds-1
> 
> Hi,
> 
> On May 15, 2019 4:29:54 PM EDT, Salvatore Bonaccorso <carnil@debian.org> wrote:
> >Source: singularity-container
> >Version: 3.1.1+ds-1
> >Severity: grave
> >Tags: security upstream
> >
> >Hi,
> >
> >The following vulnerability was published for singularity-container.
> >
> >CVE-2019-11328[0]:
> >| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a
> >malicious
> >| user with local/network access to the host system (e.g. ssh) could
> >| exploit this vulnerability due to insecure permissions allowing a
> >user
> >| to edit files within
> >| `/run/singularity/instances/sing/&lt;user&gt;/&lt;instance&gt;`. The
> >| manipulation of those files can change the behavior of the starter-
> >| suid program when instances are joined resulting in potential
> >| privilege escalation on the host.
> >
> 
> The version I uploaded yesterday includes the patches for this CVE.

Thanks saw that, and fixed the security-tracker information.

> >Could you furthermore check, is this only introduced in the 3.1.0
> >series really or just are those the versions checked for the issue,
> >but earlier versions might be affected as well?
> >
> 
> I filed an unblock request to hopefully replace 3.0.3 in Testing. 2.6.1 doesn't have the affected code (it predates the Go implementation).

Thanks that was important bit to know.

Then there is nothing further to be done.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#929042: closed by Afif Elghraoui <afif@debian.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#929042: closed by Afif Elghraoui <afif@debian.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)
  - From: Afif Elghraoui <afif@debian.org>

References:
- Bug#929042: singularity-container: CVE-2019-11328
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#929042: marked as done (singularity-container: CVE-2019-11328)
Next by Date: Processed: notfound 929042 in 3.1.1+ds-1
Previous by thread: Bug#929042: marked as done (singularity-container: CVE-2019-11328)
Next by thread: Bug#929042: closed by Afif Elghraoui <afif@debian.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)
Index(es):
- Date
- Thread