Source: singularity-container
Version: 3.1.1+ds-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for singularity-container.

CVE-2019-11328[0]:
| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious
| user with local/network access to the host system (e.g. ssh) could
| exploit this vulnerability due to insecure permissions allowing a user
| to edit files within
| `/run/singularity/instances/sing/<user>/<instance>`. The
| manipulation of those files can change the behavior of the starter-
| suid program when instances are joined resulting in potential
| privilege escalation on the host.

Could you furthermore check, is this only introduced in the 3.1.0
series really or just are those the versions checked for the issue,
but earlier versions might be affected as well?

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11328
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11328

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to