Source: singularity-container Version: 3.11.0+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for singularity-container. The issue originally reference for apptainer is affecting in same way singularity. CVE-2023-30549[0]: | Apptainer is an open source container platform for Linux. There is an | ext4 use-after-free flaw that is exploitable through versions of | Apptainer < 1.1.0, installations that include apptainer-suid < | 1.1.8, and all versions of Singularity in their default configurations | on older operating systems where that CVE has not been patched. That | includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the | linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 | focal. Use-after-free flaws in the kernel can be used to attack the | kernel for denial of service and potentially for privilege escalation. | Apptainer 1.1.8 includes a patch that by default disables mounting of | extfs filesystem types in setuid-root mode, while continuing to allow | mounting of extfs filesystems in non-setuid "rootless" mode using | fuse2fs. Some workarounds are possible. Either do not install | apptainer-suid (for versions 1.1.0 through 1.1.7) or set `allow setuid | = no` in apptainer.conf (or singularity.conf for singularity | versions). This requires having unprivileged user namespaces enabled | and except for apptainer 1.1.x versions will disallow mounting of sif | files, extfs files, and squashfs files in addition to other, less | significant impacts. (Encrypted sif files are also not supported | unprivileged in apptainer 1.1.x.). Alternatively, use the `limit | containers` options in apptainer.conf/singularity.conf to limit sif | files to trusted users, groups, and/or paths, and set `allow container | extfs = no` to disallow mounting of extfs overlay files. The latter | option by itself does not disallow mounting of extfs overlay | partitions inside SIF files, so that's why the former options are also | needed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30549 https://www.cve.org/CVERecord?id=CVE-2023-30549 [1] https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg Regards, Salvatore
