Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package singularity-container
2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious
user to create and manipulate specifically crafted raw devices within
containers they own. Utilizing MS_NODEV as a container image mount option
mitigates this potential vector of attack. As a result, this update should be
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in
Sweden) for identifying and reporting this issue!
2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and functionality related issues. security@d.o was provided with debdiff and
no negative opinions were expressed.
unblock singularity-container/2.2-2
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100,
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog 2016-11-30 12:33:01.0
-0500
+++ singularity-container-2.2/debian/changelog 2017-02-09 16:27:55.0
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+ * debian/patches - picks up from upcoming 2.2.1 release
+critical functionality and possibly security-related fixes
+- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+ to support mounting ext4 formatted images read-only
+- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+ to utilize mount option MS_NODEV for images
+ (fixes potential security implications)
+- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+ to fix bootstrapping ran as root (thus no MS_NODEV restriction
+ from above patch should be applied)
+- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+ exit with error if snprintf would have went out of bounds
+- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+ changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+ changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+ Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko Thu, 09 Feb 2017 16:27:55 -0500
+
singularity-container (2.2-1) unstable; urgency=medium
[ Mehdi Dogguy ]
diff -Nru
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
---
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
1969-12-31 19:00:00.0 -0500
+++
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer
+Subject: Use --force-yes
+
+--- a/examples/debian.def
b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+ echo "Hello from inside the container"
+ apt-get update
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+
+--- a/examples/ubuntu.def
b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+ echo "Hello from inside the container"
+ sed -i 's/$/ universe/' /etc/apt/sources.list
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+
diff -Nru
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
---
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
1969-12-31 19:00:00.0 -0500
+++
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+ singularity_message(VERBOSE3, "Found supplementary group
membership in: %d\n", gids[i]);
+ singularity_message(VERBOSE2, "Adding user's supplementary
group ('%s') info to template group file\n",