On Tue, Aug 01, 2023 at 05:10:10PM +0200, Salvatore Bonaccorso wrote: > On Tue, Aug 01, 2023 at 07:57:22PM +0530, Nilesh Patra wrote: > > I asked this upstream[1] and upstream thinks that this is actually an > > issue with the kernel filesystem itself, and this is not a singularity > > issue per se. They even have a blogpost about the same giving more > > details on the CVE. I suppose there's nothing I can do as a package > > maintainer to act upon the bug. > > > > I've also CC'ed David (upstream) to this mail, to keep them in the loop > > as well. > > > > What do you think? > > Okay I see there is disagreement on the Apptainer project on Sylabs on > this and understand the reasoning outlined in the response blogpost. I > will mark the CVE entry as unimportant and add a rationale for it, in > particular because for the suites where singularity-container is > available, the known CVE-2022-1184 is patched. Thank you! > The Apptainer rationale > is as explained though more broad and not referring only to this known > CVE. > > Given that, I'm fine if you close the bugreport following the upstream > response to their view on CVE-2023-30549. > > What you could do as packager, once this configuration option in a new > security-container is available to put it in reference with > CVE-2023-30549, maybe. I think this was introduced in version 3.11.2 as per the changelog mention https://github.com/sylabs/singularity/blob/main/CHANGELOG.md#3112-2023-04-27 However, I had already uploaded 3.11.4 to unstable before I saw this bug report, sorry about that. I'll mention this in the bookworm-fasttrack upload in that case. > > Note: If I do not hear from you in a week, I'll close this bug report. > > Quite tight pressure given there is as well general I wanted to upload this to bookworm before next week. To my surprise, there are actually users consuming this package from there, so I just wanted to make it a little quick :) > summer vacation times ;-) There are _currently_ no summer vacation times in the part of the world I live in. It was infact, raining quite heavily since past few days, so I didn't realise the vac stuff for you :-) Best, Nilesh
Attachment:
signature.asc
Description: PGP signature