Bug#1035026: singularity-container: CVE-2023-30549

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Nilesh Patra <nilesh@debian.org>, 1035026@bugs.debian.org, David Trudgian <david.trudgian@sylabs.io>
Subject: Bug#1035026: singularity-container: CVE-2023-30549
From: Nilesh Patra <nilesh@debian.org>
Date: Tue, 1 Aug 2023 21:33:16 +0530
Message-id: <[🔎] 20230801160316.2kc5g2j2ycdvrc5s@office.mailbox.org>
Reply-to: Nilesh Patra <nilesh@debian.org>, 1035026@bugs.debian.org
In-reply-to: <[🔎] ZMkgUkkBeJLC6Nlc@eldamar.lan>
References: <168262599644.414346.18172516130476235236.reportbug@eldamar.lan> <[🔎] 20230801142722.wwnpvdgtsdeblsqq@office.mailbox.org> <[🔎] ZMkgUkkBeJLC6Nlc@eldamar.lan> <168262599644.414346.18172516130476235236.reportbug@eldamar.lan>

On Tue, Aug 01, 2023 at 05:10:10PM +0200, Salvatore Bonaccorso wrote:
> On Tue, Aug 01, 2023 at 07:57:22PM +0530, Nilesh Patra wrote:
> > I asked this upstream[1] and upstream thinks that this is actually an
> > issue with the kernel filesystem itself, and this is not a singularity
> > issue per se. They even have a blogpost about the same giving more
> > details on the CVE. I suppose there's nothing I can do as a package
> > maintainer to act upon the bug.
> > 
> > I've also CC'ed David (upstream) to this mail, to keep them in the loop
> > as well.
> > 
> > What do you think?
> 
> Okay I see there is disagreement on the Apptainer project on Sylabs on
> this and understand the reasoning outlined in the response blogpost. I
> will mark the CVE entry as unimportant and add a rationale for it, in
> particular because for the suites where singularity-container is
> available, the known CVE-2022-1184 is patched.

Thank you!

> The Apptainer rationale
> is as explained though more broad and not referring only to this known
> CVE.
> 
> Given that, I'm fine if you close the bugreport following the upstream
> response to their view on CVE-2023-30549.
> 
> What you could do as packager, once this configuration option in a new
> security-container is available to put it in reference with
> CVE-2023-30549, maybe. 

I think this was introduced in version 3.11.2 as per the changelog
mention

	https://github.com/sylabs/singularity/blob/main/CHANGELOG.md#3112-2023-04-27

However, I had already uploaded 3.11.4 to unstable before I saw this bug
report, sorry about that. I'll mention this in the bookworm-fasttrack upload in that case.

> > Note: If I do not hear from you in a week, I'll close this bug report.
> 
> Quite tight pressure given there is as well general

I wanted to upload this to bookworm before next week. To my surprise,
there are actually users consuming this package from there, so I just
wanted to make it a little quick :)

> summer vacation times ;-)

There are _currently_ no summer vacation times in the part of the world I live in.
It was infact, raining quite heavily since past few days, so I didn't
realise the vac stuff for you :-)

Best,
Nilesh

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Nilesh Patra <nilesh@debian.org>
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1035026: singularity-container: CVE-2023-30549
Next by Date: Bug#1035026: singularity-container: CVE-2023-30549
Previous by thread: Bug#1035026: singularity-container: CVE-2023-30549
Next by thread: Bug#1035026: singularity-container: CVE-2023-30549
Index(es):
- Date
- Thread