Debian Bug report logs -
#1035026
singularity-container: CVE-2023-30549
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian HPC Team <debian-hpc@lists.debian.org>:
Bug#1035026; Package src:singularity-container.
(Thu, 27 Apr 2023 20:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian HPC Team <debian-hpc@lists.debian.org>.
(Thu, 27 Apr 2023 20:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: singularity-container
Version: 3.11.0+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for singularity-container.
The issue originally reference for apptainer is affecting in same way
singularity.
CVE-2023-30549[0]:
| Apptainer is an open source container platform for Linux. There is an
| ext4 use-after-free flaw that is exploitable through versions of
| Apptainer < 1.1.0, installations that include apptainer-suid <
| 1.1.8, and all versions of Singularity in their default configurations
| on older operating systems where that CVE has not been patched. That
| includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the
| linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04
| focal. Use-after-free flaws in the kernel can be used to attack the
| kernel for denial of service and potentially for privilege escalation.
| Apptainer 1.1.8 includes a patch that by default disables mounting of
| extfs filesystem types in setuid-root mode, while continuing to allow
| mounting of extfs filesystems in non-setuid "rootless" mode using
| fuse2fs. Some workarounds are possible. Either do not install
| apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid
| = no` in apptainer.conf (or singularity.conf for singularity
| versions). This requires having unprivileged user namespaces enabled
| and except for apptainer 1.1.x versions will disallow mounting of sif
| files, extfs files, and squashfs files in addition to other, less
| significant impacts. (Encrypted sif files are also not supported
| unprivileged in apptainer 1.1.x.). Alternatively, use the `limit
| containers` options in apptainer.conf/singularity.conf to limit sif
| files to trusted users, groups, and/or paths, and set `allow container
| extfs = no` to disallow mounting of extfs overlay files. The latter
| option by itself does not disallow mounting of extfs overlay
| partitions inside SIF files, so that's why the former options are also
| needed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-30549
https://www.cve.org/CVERecord?id=CVE-2023-30549
[1] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Apr 28 13:12:35 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon