[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990201: CVE-2021-33622 (was: Re: Accepted singularity-container 3.9.5+ds1-1 (source) into experimental)

Hi Salvatore,

On Sun, Feb 20, 2022 at 08:01:34PM +0100, Salvatore Bonaccorso wrote:
> >    [ Andreas Tille ]
> >    * Team upload.
> >    * Version > 3.6.x are closing CVE-2021-33622
> >      Closes: #990201
> Can you help isolate on that?
> https://support.sylabs.io/support/solutions/articles/42000087130-3-5-8-security-release-cve-2021-33622-
> refers the 3.6.x as beeing affected and so there is the statement that
> the issue is not going to be patched in those version:
> > This issue affects open-source Singularity 3.5.x and 3.6.x. These
> > versions are no longer supported and will not be patched.

Yes, but in the same bug link, this is written as well:

| Affected Versions
| Singularity 3.5.x - 3.6.x, SingularityPRO <3.5-8.

And so I thought it has been fixed in later versions.

> https://bugs.debian.org/990201#10 is as well relevant in the context.

Since Andreas added this entry, I suppose he somehow forgot
about his own findings about the problem; and I did not scrutinize much
before upload (as this was not building and that was my primary focus)

> So where has this issue bin fixed?

But yes, you are right, even at Mitre metadata, I do not find any information
about any patch for the bug; i.e. I do not see the "code" that fixes it, and hence
I too am skeptical whether or not it is really gone.

For the sake of completeness, I have opened a issue upstream[1]

[1]: https://github.com/sylabs/singularity/issues/586

Attachment: signature.asc
Description: PGP signature

Reply to: