Source: singularity-container Version: 4.1.5+ds4-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for singularity-container. CVE-2025-64750[0]: | SingularityCE and SingularityPRO are open source container | platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 | and 4.3.5, if a user relies on LSM restrictions to prevent malicious | operations then, under certain circumstances, an attacker can | redirect the LSM label write operation so that it is ineffective. | The attacker must cause the user to run a malicious container image | that redirects the mount of /proc to the destination of a shared | mount, either known to be configured on the target system, or that | will be specified by the user when running the container. The | attacker must also control the content of the shared mount, for | example through another malicious container which also binds it, or | as a user with relevant permissions on the host system it is bound | from. This vulnerability is fixed in SingularityCE 4.3.5 and | SingularityPRO 4.1.11 and 4.3.5. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-64750 https://www.cve.org/CVERecord?id=CVE-2025-64750 [1] https://github.com/sylabs/singularity/security/advisories/GHSA-wwrx-w7c9-rf87 Regards, Salvatore
