[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929042: marked as done (singularity-container: CVE-2019-11328)

Your message dated Wed, 15 May 2019 16:51:24 -0400
with message-id <485AEDE8-7653-49DA-97EC-BE9FD454B33C@debian.org>
and subject line Re: Bug#929042: singularity-container: CVE-2019-11328
has caused the Debian Bug report #929042,
regarding singularity-container: CVE-2019-11328
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929042
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: singularity-container
Version: 3.1.1+ds-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for singularity-container.

CVE-2019-11328[0]:
| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious
| user with local/network access to the host system (e.g. ssh) could
| exploit this vulnerability due to insecure permissions allowing a user
| to edit files within
| `/run/singularity/instances/sing/&lt;user&gt;/&lt;instance&gt;`. The
| manipulation of those files can change the behavior of the starter-
| suid program when instances are joined resulting in potential
| privilege escalation on the host.

Could you furthermore check, is this only introduced in the 3.1.0
series really or just are those the versions checked for the issue,
but earlier versions might be affected as well?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11328
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11328

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Control: notfound -1 3.1.1+ds-1

Hi,

On May 15, 2019 4:29:54 PM EDT, Salvatore Bonaccorso <carnil@debian.org> wrote:
>Source: singularity-container
>Version: 3.1.1+ds-1
>Severity: grave
>Tags: security upstream
>
>Hi,
>
>The following vulnerability was published for singularity-container.
>
>CVE-2019-11328[0]:
>| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a
>malicious
>| user with local/network access to the host system (e.g. ssh) could
>| exploit this vulnerability due to insecure permissions allowing a
>user
>| to edit files within
>| `/run/singularity/instances/sing/&lt;user&gt;/&lt;instance&gt;`. The
>| manipulation of those files can change the behavior of the starter-
>| suid program when instances are joined resulting in potential
>| privilege escalation on the host.
>

The version I uploaded yesterday includes the patches for this CVE.

>Could you furthermore check, is this only introduced in the 3.1.0
>series really or just are those the versions checked for the issue,
>but earlier versions might be affected as well?
>

I filed an unblock request to hopefully replace 3.0.3 in Testing. 2.6.1 doesn't have the affected code (it predates the Go implementation).


>If you fix the vulnerability please also make sure to include the
>CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>

I did this already.

>For further information see:
>
>[0] https://security-tracker.debian.org/tracker/CVE-2019-11328
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11328
>
>Please adjust the affected versions in the BTS as needed.
>

regards
Afif

--- End Message ---
Reply to: