Your message dated Tue, 1 Aug 2023 21:52:43 +0530 with message-id <20230801162243.pbnrtpwfdldubbzw@office.mailbox.org> and subject line Re: singularity-container: CVE-2023-30549 has caused the Debian Bug report #1035026, regarding singularity-container: CVE-2023-30549 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1035026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035026 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: singularity-container: CVE-2023-30549
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 27 Apr 2023 22:06:36 +0200
- Message-id: <168262599644.414346.18172516130476235236.reportbug@eldamar.lan>
Source: singularity-container Version: 3.11.0+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for singularity-container. The issue originally reference for apptainer is affecting in same way singularity. CVE-2023-30549[0]: | Apptainer is an open source container platform for Linux. There is an | ext4 use-after-free flaw that is exploitable through versions of | Apptainer < 1.1.0, installations that include apptainer-suid < | 1.1.8, and all versions of Singularity in their default configurations | on older operating systems where that CVE has not been patched. That | includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the | linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 | focal. Use-after-free flaws in the kernel can be used to attack the | kernel for denial of service and potentially for privilege escalation. | Apptainer 1.1.8 includes a patch that by default disables mounting of | extfs filesystem types in setuid-root mode, while continuing to allow | mounting of extfs filesystems in non-setuid "rootless" mode using | fuse2fs. Some workarounds are possible. Either do not install | apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid | = no` in apptainer.conf (or singularity.conf for singularity | versions). This requires having unprivileged user namespaces enabled | and except for apptainer 1.1.x versions will disallow mounting of sif | files, extfs files, and squashfs files in addition to other, less | significant impacts. (Encrypted sif files are also not supported | unprivileged in apptainer 1.1.x.). Alternatively, use the `limit | containers` options in apptainer.conf/singularity.conf to limit sif | files to trusted users, groups, and/or paths, and set `allow container | extfs = no` to disallow mounting of extfs overlay files. The latter | option by itself does not disallow mounting of extfs overlay | partitions inside SIF files, so that's why the former options are also | needed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30549 https://www.cve.org/CVERecord?id=CVE-2023-30549 [1] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1035026-done@bugs.debian.org
- Cc: David Trudgian <david.trudgian@sylabs.io>
- Subject: Re: singularity-container: CVE-2023-30549
- From: Nilesh Patra <nilesh@debian.org>
- Date: Tue, 1 Aug 2023 21:52:43 +0530
- Message-id: <20230801162243.pbnrtpwfdldubbzw@office.mailbox.org>
- In-reply-to: <[🔎] ZMkvKFPLNTOE59jB@eldamar.lan>
- References: <168262599644.414346.18172516130476235236.reportbug@eldamar.lan> <[🔎] 20230801142722.wwnpvdgtsdeblsqq@office.mailbox.org> <[🔎] ZMkgUkkBeJLC6Nlc@eldamar.lan> <[🔎] 20230801160316.2kc5g2j2ycdvrc5s@office.mailbox.org> <[🔎] ZMkvKFPLNTOE59jB@eldamar.lan>
Version: 3.11.4+ds1-1 Closing the bug report after discussion.Attachment: signature.asc
Description: PGP signature
--- End Message ---