Bug#1121843: singularity-container: CVE-2025-64750

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1121843: singularity-container: CVE-2025-64750
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 03 Dec 2025 17:06:50 +0100
Message-id: <[🔎] 176477801025.2825298.3725551387247008072.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1121843@bugs.debian.org

Source: singularity-container
Version: 4.1.5+ds4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for singularity-container.

CVE-2025-64750[0]:
| SingularityCE and SingularityPRO are open source container
| platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11
| and 4.3.5, if a user relies on LSM restrictions to prevent malicious
| operations then, under certain circumstances, an attacker can
| redirect the LSM label write operation so that it is ineffective.
| The attacker must cause the user to run a malicious container image
| that redirects the mount of /proc to the destination of a shared
| mount, either known to be configured on the target system, or that
| will be specified by the user when running the container. The
| attacker must also control the content of the shared mount, for
| example through another malicious container which also binds it, or
| as a user with relevant permissions on the host system it is bound
| from. This vulnerability is fixed in SingularityCE 4.3.5 and
| SingularityPRO 4.1.11 and 4.3.5.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-64750
    https://www.cve.org/CVERecord?id=CVE-2025-64750
[1] https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87

Regards,
Salvatore

Reply to:

Index(es):
- Date
- Thread