Bug#929042: closed by Afif Elghraoui <firstname.lastname@example.org> (Re: Bug#929042: singularity-container: CVE-2019-11328)
On Wed, May 15, 2019 at 08:54:03PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:singularity-container package:
> #929042: singularity-container: CVE-2019-11328
> It has been closed by Afif Elghraoui <email@example.com>.
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Afif Elghraoui <firstname.lastname@example.org> by
> replying to this email.
> 929042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929042
> Debian Bug Tracking System
> Contact email@example.com with problems
> Date: Wed, 15 May 2019 16:51:24 -0400
> From: Afif Elghraoui <firstname.lastname@example.org>
> To: email@example.com
> Subject: Re: Bug#929042: singularity-container: CVE-2019-11328
> User-Agent: K-9 Mail for Android
> Message-ID: <485AEDE8-7653-49DA-97EC-BE9FD454B33C@debian.org>
> Control: notfound -1 3.1.1+ds-1
> On May 15, 2019 4:29:54 PM EDT, Salvatore Bonaccorso <firstname.lastname@example.org> wrote:
> >Source: singularity-container
> >Version: 3.1.1+ds-1
> >Severity: grave
> >Tags: security upstream
> >The following vulnerability was published for singularity-container.
> >| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a
> >| user with local/network access to the host system (e.g. ssh) could
> >| exploit this vulnerability due to insecure permissions allowing a
> >| to edit files within
> >| `/run/singularity/instances/sing/<user>/<instance>`. The
> >| manipulation of those files can change the behavior of the starter-
> >| suid program when instances are joined resulting in potential
> >| privilege escalation on the host.
> The version I uploaded yesterday includes the patches for this CVE.
Thanks saw that, and fixed the security-tracker information.
> >Could you furthermore check, is this only introduced in the 3.1.0
> >series really or just are those the versions checked for the issue,
> >but earlier versions might be affected as well?
> I filed an unblock request to hopefully replace 3.0.3 in Testing. 2.6.1 doesn't have the affected code (it predates the Go implementation).
Thanks that was important bit to know.
Then there is nothing further to be done.