Bug#1035026: singularity-container: CVE-2023-30549

To: Nilesh Patra <nilesh@debian.org>
Cc: 1035026@bugs.debian.org, David Trudgian <david.trudgian@sylabs.io>
Subject: Bug#1035026: singularity-container: CVE-2023-30549
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 1 Aug 2023 18:13:28 +0200
Message-id: <[🔎] ZMkvKFPLNTOE59jB@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1035026@bugs.debian.org
In-reply-to: <[🔎] 20230801160316.2kc5g2j2ycdvrc5s@office.mailbox.org>
References: <168262599644.414346.18172516130476235236.reportbug@eldamar.lan> <[🔎] 20230801142722.wwnpvdgtsdeblsqq@office.mailbox.org> <[🔎] ZMkgUkkBeJLC6Nlc@eldamar.lan> <[🔎] 20230801160316.2kc5g2j2ycdvrc5s@office.mailbox.org> <168262599644.414346.18172516130476235236.reportbug@eldamar.lan>

Hi Nilesh,

On Tue, Aug 01, 2023 at 09:33:16PM +0530, Nilesh Patra wrote:
> On Tue, Aug 01, 2023 at 05:10:10PM +0200, Salvatore Bonaccorso wrote:
> > On Tue, Aug 01, 2023 at 07:57:22PM +0530, Nilesh Patra wrote:
> > > I asked this upstream[1] and upstream thinks that this is actually an
> > > issue with the kernel filesystem itself, and this is not a singularity
> > > issue per se. They even have a blogpost about the same giving more
> > > details on the CVE. I suppose there's nothing I can do as a package
> > > maintainer to act upon the bug.
> > > 
> > > I've also CC'ed David (upstream) to this mail, to keep them in the loop
> > > as well.
> > > 
> > > What do you think?
> > 
> > Okay I see there is disagreement on the Apptainer project on Sylabs on
> > this and understand the reasoning outlined in the response blogpost. I
> > will mark the CVE entry as unimportant and add a rationale for it, in
> > particular because for the suites where singularity-container is
> > available, the known CVE-2022-1184 is patched.
> 
> Thank you!
> 
> > The Apptainer rationale
> > is as explained though more broad and not referring only to this known
> > CVE.
> > 
> > Given that, I'm fine if you close the bugreport following the upstream
> > response to their view on CVE-2023-30549.
> > 
> > What you could do as packager, once this configuration option in a new
> > security-container is available to put it in reference with
> > CVE-2023-30549, maybe. 
> 
> I think this was introduced in version 3.11.2 as per the changelog
> mention
> 
> 	https://github.com/sylabs/singularity/blob/main/CHANGELOG.md#3112-2023-04-27
> 
> However, I had already uploaded 3.11.4 to unstable before I saw this bug
> report, sorry about that. I'll mention this in the bookworm-fasttrack upload in that case.

Ah perfect. I ammended the entry again and considering the issue fixed
from our persective with 3.11.4+ds1-1 plus a reference to the upstrema
changelog entry.

> 
> > > Note: If I do not hear from you in a week, I'll close this bug report.
> > 
> > Quite tight pressure given there is as well general
> 
> I wanted to upload this to bookworm before next week. To my surprise,
> there are actually users consuming this package from there, so I just
> wanted to make it a little quick :)

Was all not that serious, but wanted to put away some time pressure
from me on the decision making. All good.

> > summer vacation times ;-)
> 
> There are _currently_ no summer vacation times in the part of the world I live in.
> It was infact, raining quite heavily since past few days, so I didn't
> realise the vac stuff for you :-)

Ah right :)

Regards,
Salvatore

Reply to:

References:
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Nilesh Patra <nilesh@debian.org>
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#1035026: singularity-container: CVE-2023-30549
  - From: Nilesh Patra <nilesh@debian.org>

Prev by Date: Bug#1035026: singularity-container: CVE-2023-30549
Next by Date: Bug#1035026: marked as done (singularity-container: CVE-2023-30549)
Previous by thread: Bug#1035026: singularity-container: CVE-2023-30549
Next by thread: Bug#1035026: marked as done (singularity-container: CVE-2023-30549)
Index(es):
- Date
- Thread