Bug#855216: marked as done (unblock: singularity-container/2.2-2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#855216: marked as done (unblock: singularity-container/2.2-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 15 Feb 2017 17:21:06 +0000
Message-id: <[🔎] handler.855216.D855216.148717910132142.ackdone@bugs.debian.org>
References: <3bb44dcd-57ee-6ab8-1be1-f686f20ba964@thykier.net> <[🔎] 148717220688.25195.14139278242105380574.reportbug@hopa.kiewit.dartmouth.edu>

Your message dated Wed, 15 Feb 2017 17:17:00 +0000
with message-id <3bb44dcd-57ee-6ab8-1be1-f686f20ba964@thykier.net>
and subject line Re: Bug#855216: unblock: singularity-container/2.2-2
has caused the Debian Bug report #855216,
regarding unblock: singularity-container/2.2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855216: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855216
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: singularity-container/2.2-2
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Wed, 15 Feb 2017 10:23:26 -0500
Message-id: <[🔎] 148717220688.25195.14139278242105380574.reportbug@hopa.kiewit.dartmouth.edu>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package singularity-container

2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious user to create and manipulate specifically crafted raw devices within containers they own. Utilizing MS_NODEV as a container image mount option mitigates this potential vector of attack. As a result, this update should be implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in Sweden) for identifying and reporting this issue!

2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and  functionality related issues.  security@d.o was provided with debdiff and
no negative opinions were expressed.

unblock singularity-container/2.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru singularity-container-2.2/debian/changelog singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog	2016-11-30 12:33:01.000000000 -0500
+++ singularity-container-2.2/debian/changelog	2017-02-09 16:27:55.000000000 -0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+  * debian/patches - picks up from upcoming 2.2.1 release
+    critical functionality and possibly security-related fixes
+    - changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+      to support mounting ext4 formatted images read-only
+    - changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+      to utilize mount option MS_NODEV for images
+      (fixes potential security implications)
+    - changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+      to fix bootstrapping ran as root (thus no MS_NODEV restriction
+      from above patch should be applied)
+    - changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+      exit with error if snprintf would have went out of bounds
+    - changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+      changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+      changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+      Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 09 Feb 2017 16:27:55 -0500
+
 singularity-container (2.2-1) unstable; urgency=medium
 
   [ Mehdi Dogguy ]
diff -Nru singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
--- singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
+Subject: Use --force-yes
+
+--- a/examples/debian.def
++++ b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+     echo "Hello from inside the container"
+     apt-get update
+-    apt-get -y install vim
++    apt-get -y --force-yes install vim
+ 
+--- a/examples/ubuntu.def
++++ b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+     echo "Hello from inside the container"
+     sed -i 's/$/ universe/' /etc/apt/sources.list
+-    apt-get -y install vim
++    apt-get -y --force-yes install vim
+ 
diff -Nru singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
--- singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew <kylemdsweene3@gmail.com>
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
++++ b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+                 singularity_message(VERBOSE3, "Found supplementary group membership in: %d\n", gids[i]);
+                 singularity_message(VERBOSE2, "Adding user's supplementary group ('%s') info to template group file\n", grent->gr_name);
+                 fprintf(file_fp, "%s:x:%u:%s\n", gr->gr_name, gr->gr_gid, pwent->pw_name);
+-            } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) || (errno == EPERM) ) {
++            } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) || (errno == EPERM) || (errno == ENOENT)) {
+                 singularity_message(VERBOSE3, "Skipping GID %d as group entry does not exist.\n", gids[i]);
+             } else {
+                 singularity_message(ERROR, "Failed to lookup GID %d group entry: %s\n", gids[i], strerror(errno));
diff -Nru singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
--- singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,120 @@
+From: Brian Bockelman <bbockelm@cse.unl.edu>
+Subject: Fix remaining usage of snprintf.
+
+--- a/src/lib/message.c
++++ b/src/lib/message.c
+@@ -109,23 +109,23 @@ void _singularity_message(int level, con
+     }
+ 
+     if ( level <= messagelevel ) {
+-        char *header_string;
++        char header_string[95];
+ 
+         if ( messagelevel >= DEBUG ) {
+-            char *debug_string = (char *) malloc(25);
+-            char *location_string = (char *) malloc(60);
+-            char *tmp_header_string = (char *) malloc(80);
+-            header_string = (char *) malloc(80);
++            char debug_string[25];
++            char location_string[60];
++            char tmp_header_string[86];
+             snprintf(location_string, 60, "%s:%d:%s()", file, line, function); // Flawfinder: ignore
++            location_string[59] = '\0';
+             snprintf(debug_string, 25, "[U=%d,P=%d]", geteuid(), getpid()); // Flawfinder: ignore
+-            snprintf(tmp_header_string, 80, "%-18s %s", debug_string, location_string); // Flawfinder: ignore
+-            snprintf(header_string, 80, "%-7s %-62s: ", prefix, tmp_header_string); // Flawfinder: ignore
+-            free(debug_string);
+-            free(location_string);
+-            free(tmp_header_string);
++            debug_string[24] = '\0';
++            snprintf(tmp_header_string, 86, "%-18s %s", debug_string, location_string); // Flawfinder: ignore
++            tmp_header_string[85] = '\0';
++            snprintf(header_string, 95, "%-7s %-62s: ", prefix, tmp_header_string); // Flawfinder: ignore
++            header_string[94] = '\0';
+         } else {
+-            header_string = (char *) malloc(11);
+             snprintf(header_string, 10, "%-7s: ", prefix); // Flawfinder: ignore
++            header_string[9] = '\0';
+         }
+ 
+         if ( level == INFO && messagelevel == INFO ) {
+@@ -138,7 +138,6 @@ void _singularity_message(int level, con
+             fprintf(stderr, "%s", strjoin(header_string, message));
+         }
+ 
+-
+         fflush(stdout);
+         fflush(stderr);
+ 
+--- a/src/lib/rootfs/rootfs.c
++++ b/src/lib/rootfs/rootfs.c
+@@ -184,7 +184,10 @@ int singularity_rootfs_mount(void) {
+     } else if ( envar_defined("SINGULARITY_WRITABLE") == TRUE ) {
+         singularity_message(VERBOSE3, "Not enabling overlayFS, image mounted writablable\n");
+     } else {
+-        snprintf(overlay_options, overlay_options_len, "lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, overlay_work); // Flawfinder: ignore
++        if (snprintf(overlay_options, overlay_options_len, "lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, overlay_work) >= overlay_options_len) {
++            singularity_message(ERROR, "Overly-long path names for OverlayFS configuration.\n");
++            ABORT(255);
++        }
+ 
+         singularity_priv_escalate();
+         singularity_message(DEBUG, "Mounting overlay tmpfs: %s\n", overlay_mount);
+--- a/src/lib/sessiondir.c
++++ b/src/lib/sessiondir.c
+@@ -55,7 +55,7 @@ char *singularity_sessiondir_init(char *
+         struct stat filestat;
+         uid_t uid = singularity_priv_getuid();
+ 
+-        sessiondir = (char *) malloc(sizeof(char) * PATH_MAX);
++        sessiondir = (char *) malloc(PATH_MAX);
+ 
+         singularity_message(DEBUG, "Checking Singularity configuration for 'sessiondir prefix'\n");
+ 
+@@ -66,9 +66,15 @@ char *singularity_sessiondir_init(char *
+ 
+         singularity_config_rewind();
+         if ( ( sessiondir_prefix = envar_path("SINGULARITY_SESSIONDIR") ) != NULL ) {
+-            snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore
++            if (snprintf(sessiondir, PATH_MAX, "%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore
++                singularity_message(ERROR, "Overly-long session directory specified.\n");
++                ABORT(255);
++            }
+         } else if ( ( sessiondir_prefix = singularity_config_get_value("sessiondir prefix") ) != NULL ) {
+-            snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore
++            if (snprintf(sessiondir, PATH_MAX, "%s%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore
++                singularity_message(ERROR, "Overly-long session directory specified.\n");
++                ABORT(255);
++            }
+         } else {
+             snprintf(sessiondir, sizeof(char) * PATH_MAX, "/tmp/.singularity-session-%d.%d.%lu", (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore
+         }
+--- a/src/util/util.c
++++ b/src/util/util.c
+@@ -136,8 +136,12 @@ char *joinpath(const char * path1, const
+         path2++;
+     }
+ 
+-    ret = (char *) malloc(strlength(tmp_path1, PATH_MAX) + strlength(path2, PATH_MAX) + 2);
+-    snprintf(ret, strlength(tmp_path1, PATH_MAX) + strlen(path2) + 2, "%s/%s", tmp_path1, path2); // Flawfinder: ignore
++    size_t ret_pathlen = strlength(tmp_path1, PATH_MAX) + strlength(path2, PATH_MAX) + 2;
++    ret = (char *) malloc(ret_pathlen);
++    if (snprintf(ret, ret_pathlen, "%s/%s", tmp_path1, path2) >= ret_pathlen) { // Flawfinder: ignore
++        singularity_message(ERROR, "Overly-long path name.\n");
++        ABORT(255);
++    }
+ 
+     return(ret);
+ }
+@@ -147,7 +151,10 @@ char *strjoin(char *str1, char *str2) {
+     int len = strlength(str1, 2048) + strlength(str2, 2048) + 1;
+ 
+     ret = (char *) malloc(len);
+-    snprintf(ret, len, "%s%s", str1, str2); // Flawfinder: ignore
++    if (snprintf(ret, len, "%s%s", str1, str2) >= len) { // Flawfinder: ignore
++       singularity_message(ERROR, "Overly-long string encountered.\n");
++       ABORT(255);
++    }
+ 
+     return(ret);
+ }
diff -Nru singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
--- singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,14 @@
+From: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
+Subject: Fix busybox path
+
+--- a/examples/busybox.def
++++ b/examples/busybox.def
+@@ -5,7 +5,7 @@
+ # required approvals from the U.S. Dept. of Energy).  All rights reserved.
+ 
+ BootStrap: busybox
+-MirrorURL: https://www.busybox.net/downloads/binaries/busybox-x86_64
++MirrorURL: https://www.busybox.net/downloads/binaries/1.26.2-defconfig-multiarch/busybox-x86_64
+ 
+ 
+ %post
diff -Nru singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
--- singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,31 @@
+From: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
+Subject: Minor fixup to fail over to try ext4 file system
+  Sorry, I didn't realize anyone was still using those images!
+
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -127,16 +127,20 @@ int rootfs_image_mount(void) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+         if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, "errors=remount-ro") < 0 ) {
+-            singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
+-            ABORT(255);
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, "errors=remount-ro") < 0 ) {
++                singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
++                ABORT(255);
++            }
+         }
+         singularity_priv_drop();
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+         if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
+-            singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
+-            ABORT(255);
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
++                singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
++                ABORT(255);
++            }
+         }
+         singularity_priv_drop();
+     }
diff -Nru singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
--- singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,76 @@
+From: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
+Subject: Conditionally disable MS_NODEV when running as root
+
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -65,6 +65,7 @@ int rootfs_dir_init(char *source, char *
+ 
+ 
+ int rootfs_dir_mount(void) {
++    int opts = MS_BIND|MS_NOSUID|MS_REC;
+ 
+     if ( ( mount_point == NULL ) || ( source_dir == NULL ) ) {
+         singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n");
+@@ -76,9 +77,13 @@ int rootfs_dir_mount(void) {
+         ABORT(255);
+     }
+ 
++    if ( getuid() != 0 ) {
++        opts |= MS_NODEV;
++    }
++
+     singularity_priv_escalate();
+     singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point);
+-    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
++    if ( mount(source_dir, mount_point, NULL, opts, NULL) < 0 ) {
+         singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno));
+         return 1;
+     }
+@@ -88,7 +93,7 @@ int rootfs_dir_mount(void) {
+         if ( singularity_ns_user_enabled() <= 0 ) {
+             singularity_priv_escalate();
+             singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point);
+-            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
++            if ( mount(NULL, mount_point, NULL, opts|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
+                 singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno));
+                 ABORT(255);
+             }
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -100,6 +100,7 @@ int rootfs_image_init(char *source, char
+ 
+ 
+ int rootfs_image_mount(void) {
++    int opts = MS_NOSUID;
+ 
+     if ( mount_point == NULL ) {
+         singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n");
+@@ -122,12 +123,15 @@ int rootfs_image_mount(void) {
+         ABORT(255);
+     }
+ 
++    if ( getuid() != 0 ) {
++        opts |= MS_NODEV;
++    }
+ 
+     if ( read_write > 0 ) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", opts, "errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", opts, "errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+@@ -136,8 +140,8 @@ int rootfs_image_mount(void) {
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", opts|MS_RDONLY, "errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", opts|MS_RDONLY, "errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
+                 ABORT(255);
+             }
diff -Nru singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
--- singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff	1969-12-31 19:00:00.000000000 -0500
+++ singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff	2017-02-09 16:27:55.000000000 -0500
@@ -0,0 +1,67 @@
+commit f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d
+Author: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
+Date:   Thu Feb 2 22:37:50 2017 +0000
+
+    Utilize mount option MS_NODEV for images
+
+diff --git a/src/lib/rootfs/dir/dir.c b/src/lib/rootfs/dir/dir.c
+index c6ba1a8c..75fa6468 100644
+--- a/src/lib/rootfs/dir/dir.c
++++ b/src/lib/rootfs/dir/dir.c
+@@ -78,7 +78,7 @@ int rootfs_dir_mount(void) {
+ 
+     singularity_priv_escalate();
+     singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point);
+-    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) {
++    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
+         singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno));
+         return 1;
+     }
+@@ -88,7 +88,7 @@ int rootfs_dir_mount(void) {
+         if ( singularity_ns_user_enabled() <= 0 ) {
+             singularity_priv_escalate();
+             singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point);
+-            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
++            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
+                 singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno));
+                 ABORT(255);
+             }
+diff --git a/src/lib/rootfs/image/image.c b/src/lib/rootfs/image/image.c
+index 0db44999..8f3261fd 100644
+--- a/src/lib/rootfs/image/image.c
++++ b/src/lib/rootfs/image/image.c
+@@ -126,8 +126,8 @@ int rootfs_image_mount(void) {
+     if ( read_write > 0 ) {
+         singularity_message(VERBOSE, "Mounting image in read/write\n");
+         singularity_priv_escalate();
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, "errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, "errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+@@ -136,8 +136,8 @@ int rootfs_image_mount(void) {
+     } else {
+         singularity_priv_escalate();
+         singularity_message(VERBOSE, "Mounting image in read/only\n");
+-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
+-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
++        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
++            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+                 singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
+                 ABORT(255);
+             }
+diff --git a/src/lib/rootfs/squashfs/squashfs.c b/src/lib/rootfs/squashfs/squashfs.c
+index df71f4c2..82f2dfc5 100644
+--- a/src/lib/rootfs/squashfs/squashfs.c
++++ b/src/lib/rootfs/squashfs/squashfs.c
+@@ -104,7 +104,7 @@ int rootfs_squashfs_mount(void) {
+ 
+     singularity_priv_escalate();
+     singularity_message(VERBOSE, "Mounting squashfs image\n");
+-    if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
++    if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+         singularity_message(ERROR, "Failed to mount squashfs image in (read only): %s\n", strerror(errno));
+         ABORT(255);
+     }
diff -Nru singularity-container-2.2/debian/patches/series singularity-container-2.2/debian/patches/series
--- singularity-container-2.2/debian/patches/series	2016-11-30 12:33:01.000000000 -0500
+++ singularity-container-2.2/debian/patches/series	2017-02-09 16:27:55.000000000 -0500
@@ -2,3 +2,10 @@
 0001-BF-do-not-make-python-modules-not-intended-to-be-exe.patch
 0002-ENH-removed-python-shebangs-from-non-script-python-m.patch
 0001-BF-bash_completion.d-script-has-bashisms-so-use-bash.patch
+changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff

--- End Message ---

--- Begin Message ---

To: Yaroslav Halchenko <debian@onerussian.com>, 855216-done@bugs.debian.org

Subject: Re: Bug#855216: unblock: singularity-container/2.2-2

From: Niels Thykier <niels@thykier.net>

Date: Wed, 15 Feb 2017 17:17:00 +0000

Message-id: <3bb44dcd-57ee-6ab8-1be1-f686f20ba964@thykier.net>

In-reply-to: <[🔎] 148717220688.25195.14139278242105380574.reportbug@hopa.kiewit.dartmouth.edu>

References: <[🔎] 148717220688.25195.14139278242105380574.reportbug@hopa.kiewit.dartmouth.edu>
Yaroslav Halchenko:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package singularity-container
> 
> 2.2 release contained a vulnerability described in detail upstream
> https://github.com/singularityware/singularity/releases/tag/2.2.1 :
> In versions of Singularity previous to 2.2.1, it was possible for a malicious user to create and manipulate specifically crafted raw devices within containers they own. Utilizing MS_NODEV as a container image mount option mitigates this potential vector of attack. As a result, this update should be implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in Sweden) for identifying and reporting this issue!
> 
> 2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
> that vulnerability and address few other possibly security related (snprintf)
> and  functionality related issues.  security@d.o was provided with debdiff and
> no negative opinions were expressed.
> 
> unblock singularity-container/2.2-2
> 
> [...]

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#855216: unblock: singularity-container/2.2-2
  - From: Yaroslav Halchenko <debian@onerussian.com>

Prev by Date: Processed: petsc / openmpi
Next by Date: Bug#855114: marked as done (unblock (pre-approval): nginx/1.10.3-1)
Previous by thread: Bug#855216: unblock: singularity-container/2.2-2
Next by thread: Bug#855216: unblock: singularity-container/2.2-2
Index(es):
- Date
- Thread