Bug#1035026: singularity-container: CVE-2023-30549
Hi
On Tue, Aug 01, 2023 at 07:57:22PM +0530, Nilesh Patra wrote:
> Hi Salvatore,
>
> On Thu, 27 Apr 2023 22:06:36 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: singularity-container
> > Version: 3.11.0+ds1-1
> > Severity: important
> > Tags: security upstream
> > The following vulnerability was published for singularity-container.
> > The issue originally reference for apptainer is affecting in same way
> > singularity.
> >
> > CVE-2023-30549[0]:
> > ...
>
> I asked this upstream[1] and upstream thinks that this is actually an
> issue with the kernel filesystem itself, and this is not a singularity
> issue per se. They even have a blogpost about the same giving more
> details on the CVE. I suppose there's nothing I can do as a package
> maintainer to act upon the bug.
>
> I've also CC'ed David (upstream) to this mail, to keep them in the loop
> as well.
>
> What do you think?
Okay I see there is disagreement on the Apptainer project on Sylabs on
this and understand the reasoning outlined in the response blogpost. I
will mark the CVE entry as unimportant and add a rationale for it, in
particular because for the suites where singularity-container is
available, the known CVE-2022-1184 is patched. The Apptainer rationale
is as explained though more broad and not referring only to this known
CVE.
Given that, I'm fine if you close the bugreport following the upstream
response to their view on CVE-2023-30549.
What you could do as packager, once this configuration option in a new
security-container is available to put it in reference with
CVE-2023-30549, maybe.
> Note: If I do not hear from you in a week, I'll close this bug report.
Quite tight pressure given there is as well general summer vacation
times ;-)
Regards,
Salvatore
Reply to: