Bug#972212: marked as done (singularity-container: CVE-2020-15229)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 19 Feb 2022 10:53:19 +0000
with message-id <E1nLNMd-0004ly-JN@fasolo.debian.org>
and subject line Bug#972212: fixed in singularity-container 3.9.4+ds2-1
has caused the Debian Bug report #972212,
regarding singularity-container: CVE-2020-15229
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
972212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972212
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: singularity-container: CVE-2020-15229
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 14 Oct 2020 15:05:54 +0200
• Message-id: <160268075437.60422.11528334445552663031.reportbug@eldamar.lan>

Source: singularity-container
Version: 3.5.2+ds1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for singularity-container.

CVE-2020-15229[0]:
| Path traversal and files overwrite with unsquashfs

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-15229
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15229
[1] https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 972212-close@bugs.debian.org
• Subject: Bug#972212: fixed in singularity-container 3.9.4+ds2-1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 19 Feb 2022 10:53:19 +0000
• Message-id: <E1nLNMd-0004ly-JN@fasolo.debian.org>
• Reply-to: Andreas Tille <tille@debian.org>

Source: singularity-container
Source-Version: 3.9.4+ds2-1
Done: Andreas Tille <tille@debian.org>

We believe that the bug you reported is fixed in the latest version of
singularity-container, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972212@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated singularity-container package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Feb 2022 17:49:26 +0100
Source: singularity-container
Architecture: source
Version: 3.9.4+ds2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian HPC Team <debian-hpc@lists.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 965040 970465 972212 995171
Changes:
 singularity-container (3.9.4+ds2-1) experimental; urgency=medium
 .
   * Team upload
 .
   [ Yaroslav Halchenko ]
   * Fresh upstream release
     Closes: #995171
   * debian/watch - updated to point to -ce flavor of release on github.
     Thanks to Andreas Tille for the patch!
   * debian/patches
     - cni_plugin_path.patch - updated for moved files and more files with
       similar references of cni
 .
   [ Andreas Tille ]
   * New upstream release
      - Version 3.6.0 addresses CVE-2020-13845 CVE-2020-13846 CVE-2020-13847
        Closes: #965040
      - Version 3.6.3 addresses CVE-2020-25039 CVE-2020-25040
        Closes: #970465
      - Version 3.6.4 addresses CVE-2020-15229
        Closes: #972212
   * Versioned (Build-)Depends: golang-github-blang-semver-dev (>= 4)
   * Versioned Build-Depends: golang-github-vbauerster-mpb-dev (>= 7.3.2)
   * Standards-Version: 4.6.0 (routine-update)
   * debhelper-compat 13 (routine-update)
   * Rules-Requires-Root: no (routine-update)
   * Use secure URI in Homepage field.
   * Update renamed lintian tag names in lintian overrides.
   * Use default salsa-ci pipeline
   * Bump github.com/vbauerster/mpb to v7
   * Drop Dave Love from Uploaders (Thanks a lot for your initial work Dave)
   * Versioned Build-Depends: golang-github-appc-cni-dev (>= 1.0.1~)
   * Do not try to `chown -c root.root` which is not permitted and granted
     in the final package anyway
   * Fix and simplify watch file
   * Replace vendored copies of
      github.com/Azure/go-ansiterm (golang-github-azure-go-ansiterm-dev)
      github.com/Netflix/go-expect (golang-github-netflix-go-expect-dev)
      github.com/ProtonMail/go-crypto (golang-github-protonmail-go-crypto-dev)
   * Distribute Apache-2.0 copyright NOTICE
 .
   [ Nilesh Patra ]
   * Follow pattern of d052a709acbe1fc2eae989842e4248a5ff90a591.patch to remove
     refervences to v4
Checksums-Sha1:
 b1f0cbfcd3765d48176e4839d67b49b225fca195 3761 singularity-container_3.9.4+ds2-1.dsc
 6cb7531956db57dcc9b61ef28c15cb203be82c52 6244320 singularity-container_3.9.4+ds2.orig.tar.xz
 79b9161d09288bfda76750a347b6c36a907c770e 19824 singularity-container_3.9.4+ds2-1.debian.tar.xz
 657462f745988a2c5c27903684ca64d841cf7aef 24515 singularity-container_3.9.4+ds2-1_amd64.buildinfo
Checksums-Sha256:
 d7743d85f6ec8eee48c05fb732237664dc19181f3353d01b236016f835c8404e 3761 singularity-container_3.9.4+ds2-1.dsc
 f1996b8882cdd2de1cd9755d20b6cbef5ad33fbbae4a0999aed7198cb27b7bea 6244320 singularity-container_3.9.4+ds2.orig.tar.xz
 81b6ff6218ba18b98992d7cf92791a20ccdd04ac5ba2fc56c026a648b5071a3b 19824 singularity-container_3.9.4+ds2-1.debian.tar.xz
 03929418ec7f58aa3d427e17bc6ea054256f5ed47ba2c1f814f6fff73ff10d29 24515 singularity-container_3.9.4+ds2-1_amd64.buildinfo
Files:
 4b5b5e3d744aae5ff0a364cff65af360 3761 admin optional singularity-container_3.9.4+ds2-1.dsc
 49db088aa61d32ae843e35e3c1fd91f8 6244320 admin optional singularity-container_3.9.4+ds2.orig.tar.xz
 36c7033477163e0375dcab9e3af08dca 19824 admin optional singularity-container_3.9.4+ds2-1.debian.tar.xz
 169e9983aad9ae6dda90cae729f6916b 24515 admin optional singularity-container_3.9.4+ds2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmIQxvcRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtGnZBAAiJy/bV9JRxD10bw3OdOkiG97yQOvTPAU
5XzWpwx35UzTu4FAhpKA9PUdPk0VQ8CS4mke38/XcEW6yFCF/YeUnoZn0WkIrDbr
i/51UOUznFe72+fhcEldCd9KIPWa0DKW3rDcLBBdiKKRaTc+EFhF97azNTiaAwzc
styVTfmvohI5sfpj9ARcYfJYIR431uRGIsFWCz8BQow+Iqwg3DKpPF4qMv296JZo
NJv8oWoiY1JoKs97uNsBIl4IKDWluWVTek3/RvvImbs6wt27OYB6/fjwdyoiLf9M
bZUv5rUhFl/Z3Tr73JvqFI9V6rsRBQnj+iCJnbWVijBGwXVQj1LdnaMP0tiBrHSb
PaPYThDKalg3/iM24tvQRfML+DzxpcmyWhv+Hu8cBcADRUF7CuOGZb3RmhmWZuss
iyQUxVSOzsUDo4uK58ucF723Zt7P5p5k10/OrIc5hI9ofkszgc3BN2CVdxgvUziB
fu+ZScr5uL+jZx1/OKBOd0xW+rxjLj2tKVYWqblJnsDX/LNbmxNAbsv6Q0tjUXRy
dpeR9BV+vTMd6krkzhc7Hf4FnWu0IPStcInN5ik1pu5hs9+2Idbzcgl7kieKEklT
TcwjxTzWur/rTTltEPnZl3WzjH9q5nN0RZ99jCLOYP4KCKyNYj6wxi63WajHlIWt
9a0TU8UMbJQ=
=HVRf
-----END PGP SIGNATURE-----

--- End Message ---