Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apptainer for openSUSE:Factory checked in at 2023-07-26 13:24:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apptainer (Old) and /work/SRC/openSUSE:Factory/.apptainer.new.15225 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apptainer" Wed Jul 26 13:24:51 2023 rev:20 rq:1100792 version:1.2.1 Changes: -------- --- /work/SRC/openSUSE:Factory/apptainer/apptainer.changes 2023-07-25 11:52:47.454045366 +0200 +++ /work/SRC/openSUSE:Factory/.apptainer.new.15225/apptainer.changes 2023-07-26 13:26:04.000768301 +0200 @@ -1,0 +2,6 @@ +Wed Jul 26 07:33:42 UTC 2023 - Christian Goll <cg...@suse.com> + +- updated to 1.2.1 to fix CVE-2023-38496 although not relevant as package is + compiled with setuid + +------------------------------------------------------------------- Old: ---- apptainer-1.2.0.tar.gz New: ---- apptainer-1.2.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apptainer.spec ++++++ --- /var/tmp/diff_new_pack.Yt9ahQ/_old 2023-07-26 13:26:04.784773032 +0200 +++ /var/tmp/diff_new_pack.Yt9ahQ/_new 2023-07-26 13:26:04.792773081 +0200 @@ -26,7 +26,7 @@ License: BSD-3-Clause-LBNL Group: Productivity/Clustering/Computing Name: apptainer -Version: 1.2.0 +Version: 1.2.1 Release: 0 # https://spdx.org/licenses/BSD-3-Clause-LBNL.html URL: https://apptainer.org ++++++ apptainer-1.2.0.tar.gz -> apptainer-1.2.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/CHANGELOG.md new/apptainer-1.2.1/CHANGELOG.md --- old/apptainer-1.2.0/CHANGELOG.md 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/CHANGELOG.md 2023-07-24 22:33:41.000000000 +0200 @@ -5,6 +5,18 @@ and re-branded as Apptainer. For older changes see the [archived Singularity change log](https://github.com/apptainer/singularity/blob/release-3.8/CHANGELOG.md). +## v1.2.1 - \[2023-07-24\] + +### Security fix + +- Included a fix for + [security advisory GHSA-mmx5-32m4-wxvx](https://github.com/apptainer/apptainer/security/advisories/GHSA-mmx5-32m4-wxvx) + which describes an ineffective privilege drop when requesting a + container network with a setuid installation of Apptainer. + The vulnerability allows an attacker to delete any directory on the + host filesystems with a crafted starter config. + Only affects v1.2.0-rc.2 and v1.2.0. + ## v1.2.0 - \[2023-07-18\] Changes since v1.1.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/INSTALL.md new/apptainer-1.2.1/INSTALL.md --- old/apptainer-1.2.0/INSTALL.md 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/INSTALL.md 2023-07-24 22:33:41.000000000 +0200 @@ -137,7 +137,7 @@ for example: ```sh -git checkout v1.2.0 +git checkout v1.2.1 ``` ## Compiling Apptainer @@ -272,7 +272,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.2.0 # this is the apptainer version, change as you need +VERSION=1.2.1 # this is the apptainer version, change as you need # Fetch the source wget https://github.com/apptainer/apptainer/releases/download/v${VERSION}/apptainer-${VERSION}.tar.gz ``` @@ -324,7 +324,7 @@ <!-- markdownlint-disable MD013 --> ```sh -VERSION=1.2.0 # this is the latest apptainer version, change as you need +VERSION=1.2.1 # this is the latest apptainer version, change as you need ./mconfig make -C builddir rpm sudo rpm -ivh ~/rpmbuild/RPMS/x86_64/apptainer-$(echo $VERSION|tr - \~)*.x86_64.rpm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/go.mod new/apptainer-1.2.1/go.mod --- old/apptainer-1.2.0/go.mod 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/go.mod 2023-07-24 22:33:41.000000000 +0200 @@ -29,7 +29,7 @@ github.com/opencontainers/go-digest v1.0.0 github.com/opencontainers/image-spec v1.1.0-rc4 github.com/opencontainers/runc v1.1.7 - github.com/opencontainers/runtime-spec v1.1.0-rc.3 + github.com/opencontainers/runtime-spec v1.1.0 github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 github.com/opencontainers/selinux v1.11.0 github.com/opencontainers/umoci v0.4.7 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/go.sum new/apptainer-1.2.1/go.sum --- old/apptainer-1.2.0/go.sum 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/go.sum 2023-07-24 22:33:41.000000000 +0200 @@ -433,8 +433,8 @@ github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20200710190001-3e4195d92445/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-spec v1.0.3-0.20220825212826-86290f6a00fb/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/runtime-spec v1.1.0-rc.3 h1:l04uafi6kxByhbxev7OWiuUv0LZxEsYUfDWZ6bztAuU= -github.com/opencontainers/runtime-spec v1.1.0-rc.3/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/opencontainers/runtime-spec v1.1.0 h1:HHUyrt9mwHUjtasSbXSMvs4cyFxh+Bll4AjJ9odEGpg= +github.com/opencontainers/runtime-spec v1.1.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626 h1:DmNGcqH3WDbV5k8OJ+esPWbqUOX5rMLR2PMvziDMJi0= github.com/opencontainers/runtime-tools v0.9.1-0.20221107090550-2e043c6bd626/go.mod h1:BRHJJd0E+cx42OybVYSgUvZmU0B8P9gZuRXlZUP7TKI= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/internal/pkg/runtime/engine/apptainer/cleanup_linux.go new/apptainer-1.2.1/internal/pkg/runtime/engine/apptainer/cleanup_linux.go --- old/apptainer-1.2.0/internal/pkg/runtime/engine/apptainer/cleanup_linux.go 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/internal/pkg/runtime/engine/apptainer/cleanup_linux.go 2023-07-24 22:33:41.000000000 +0200 @@ -79,19 +79,20 @@ } if networkSetup != nil { + var dropPrivilege priv.DropPrivFunc + net := e.EngineConfig.GetNetwork() - privileged := false + // If a CNI configuration was allowed as non-root (or fakeroot) if net != "none" && os.Geteuid() != 0 { - priv.Escalate() - privileged = true + dropPrivilege, _ = priv.Escalate() } sylog.Debugf("Cleaning up CNI network config %s", net) if err := networkSetup.DelNetworks(ctx); err != nil { sylog.Errorf("could not delete networks: %v", err) } - if privileged { - priv.Drop() + if dropPrivilege != nil { + dropPrivilege() } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/internal/pkg/runtime/engine/apptainer/container_linux.go new/apptainer-1.2.1/internal/pkg/runtime/engine/apptainer/container_linux.go --- old/apptainer-1.2.0/internal/pkg/runtime/engine/apptainer/container_linux.go 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/internal/pkg/runtime/engine/apptainer/container_linux.go 2023-07-24 22:33:41.000000000 +0200 @@ -2604,8 +2604,11 @@ } } if euid != 0 { - priv.Escalate() - defer priv.Drop() + dropPrivilege, err := priv.Escalate() + if err != nil { + return err + } + defer dropPrivilege() } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/apptainer-1.2.0/internal/pkg/util/priv/priv_linux.go new/apptainer-1.2.1/internal/pkg/util/priv/priv_linux.go --- old/apptainer-1.2.0/internal/pkg/util/priv/priv_linux.go 2023-07-18 17:19:51.000000000 +0200 +++ new/apptainer-1.2.1/internal/pkg/util/priv/priv_linux.go 2023-07-24 22:33:41.000000000 +0200 @@ -15,20 +15,31 @@ "syscall" ) +type DropPrivFunc func() error + // Escalate escalates privileges of the thread or process. -// Since Go 1.16 syscall.Setresuid is an all-thread operation. -// A runtime.LockOSThread operation remains for older versions of Go. -func Escalate() error { +// Since Go 1.16 syscall.Setresuid is an all-thread operation, +// keep calling syscall directly to restore old behavior of +// changing the UID for the locked thread only. +func Escalate() (DropPrivFunc, error) { runtime.LockOSThread() - uid := os.Getuid() - return syscall.Setresuid(0, 0, uid) -} -// Drop drops privileges of the thread or process. -// Since Go 1.16 syscall.Setresuid is an all-thread operation. -// A runtime.LockOSThread operation remains for older versions of Go. -func Drop() error { - defer runtime.UnlockOSThread() uid := os.Getuid() - return syscall.Setresuid(uid, uid, 0) + + _, _, errno := syscall.Syscall(syscall.SYS_SETRESUID, 0, 0, uintptr(uid)) + if errno != 0 { + return nil, errno + } + + return func() error { + _, _, errno := syscall.Syscall(syscall.SYS_SETRESUID, uintptr(uid), uintptr(uid), 0) + + runtime.UnlockOSThread() + + if errno != 0 { + return errno + } + + return nil + }, nil } ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/apptainer/vendor.tar.gz /work/SRC/openSUSE:Factory/.apptainer.new.15225/vendor.tar.gz differ: char 18, line 1
