[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1035026: marked as done (singularity-container: CVE-2023-30549)

Your message dated Tue, 1 Aug 2023 21:52:43 +0530
with message-id <20230801162243.pbnrtpwfdldubbzw@office.mailbox.org>
and subject line Re: singularity-container: CVE-2023-30549
has caused the Debian Bug report #1035026,
regarding singularity-container: CVE-2023-30549
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1035026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035026
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: singularity-container
Version: 3.11.0+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for singularity-container.
The issue originally reference for apptainer is affecting in same way
singularity.

CVE-2023-30549[0]:
| Apptainer is an open source container platform for Linux. There is an
| ext4 use-after-free flaw that is exploitable through versions of
| Apptainer &lt; 1.1.0, installations that include apptainer-suid &lt;
| 1.1.8, and all versions of Singularity in their default configurations
| on older operating systems where that CVE has not been patched. That
| includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the
| linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04
| focal. Use-after-free flaws in the kernel can be used to attack the
| kernel for denial of service and potentially for privilege escalation.
| Apptainer 1.1.8 includes a patch that by default disables mounting of
| extfs filesystem types in setuid-root mode, while continuing to allow
| mounting of extfs filesystems in non-setuid "rootless" mode using
| fuse2fs. Some workarounds are possible. Either do not install
| apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid
| = no` in apptainer.conf (or singularity.conf for singularity
| versions). This requires having unprivileged user namespaces enabled
| and except for apptainer 1.1.x versions will disallow mounting of sif
| files, extfs files, and squashfs files in addition to other, less
| significant impacts. (Encrypted sif files are also not supported
| unprivileged in apptainer 1.1.x.). Alternatively, use the `limit
| containers` options in apptainer.conf/singularity.conf to limit sif
| files to trusted users, groups, and/or paths, and set `allow container
| extfs = no` to disallow mounting of extfs overlay files. The latter
| option by itself does not disallow mounting of extfs overlay
| partitions inside SIF files, so that's why the former options are also
| needed.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-30549
    https://www.cve.org/CVERecord?id=CVE-2023-30549
[1] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Version: 3.11.4+ds1-1

Closing the bug report after discussion.

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: