Bug#855216: unblock: singularity-container/2.2-2

2017-02-15 Thread Niels Thykier 
Yaroslav Halchenko:
> [...]
> 
> Thank you!
> 

No problem :)

> Is there a chance to kick-force it to migrate before 10day waiting
> period ends due to security related aspect?  it is on 5th day ATM
> 

Already included :)

"""
$ hint grep  singularity-container
==> nthykier
  #2017-02-15
  # #855216
  age-days 5 singularity-container/2.2-2
  unblock singularity-container/2.2-2
nthykier@respighi:~$
"""

~Niels

Bug#855216: unblock: singularity-container/2.2-2

2017-02-15 Thread Sébastien Delafond 
Dear Release Managers,

the Security Team has reviewed the diff related to this security
problem, and we support the unblock request.

Cheers,

--Seb

Bug#855216: unblock: singularity-container/2.2-2

2017-02-15 Thread Yaroslav Halchenko 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Please unblock package singularity-container

2.2 release contained a vulnerability described in detail upstream
https://github.com/singularityware/singularity/releases/tag/2.2.1 :
In versions of Singularity previous to 2.2.1, it was possible for a malicious 
user to create and manipulate specifically crafted raw devices within 
containers they own. Utilizing MS_NODEV as a container image mount option 
mitigates this potential vector of attack. As a result, this update should be 
implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in 
Sweden) for identifying and reporting this issue!

2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover
that vulnerability and address few other possibly security related (snprintf)
and  functionality related issues.  security@d.o was provided with debdiff and
no negative opinions were expressed.

unblock singularity-container/2.2-2

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 
'unstable-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog 
singularity-container-2.2/debian/changelog
--- singularity-container-2.2/debian/changelog  2016-11-30 12:33:01.0 
-0500
+++ singularity-container-2.2/debian/changelog  2017-02-09 16:27:55.0 
-0500
@@ -1,3 +1,24 @@
+singularity-container (2.2-2) unstable; urgency=high
+
+  * debian/patches - picks up from upcoming 2.2.1 release
+critical functionality and possibly security-related fixes
+- changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff
+  to support mounting ext4 formatted images read-only
+- changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff
+  to utilize mount option MS_NODEV for images
+  (fixes potential security implications)
+- changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff
+  to fix bootstrapping ran as root (thus no MS_NODEV restriction
+  from above patch should be applied)
+- changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff
+  exit with error if snprintf would have went out of bounds
+- changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff
+  changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
+  changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
+  Various obvious fixes (updated URLs, apt --force-yes)
+
+ -- Yaroslav Halchenko   Thu, 09 Feb 2017 16:27:55 -0500
+
 singularity-container (2.2-1) unstable; urgency=medium
 
   [ Mehdi Dogguy ]
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
--- 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
1969-12-31 19:00:00.0 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,21 @@
+From: Gregory M. Kurtzer 
+Subject: Use --force-yes
+
+--- a/examples/debian.def
 b/examples/debian.def
+@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi
+ %post
+ echo "Hello from inside the container"
+ apt-get update
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
+--- a/examples/ubuntu.def
 b/examples/ubuntu.def
+@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/
+ %post
+ echo "Hello from inside the container"
+ sed -i 's/$/ universe/' /etc/apt/sources.list
+-apt-get -y install vim
++apt-get -y --force-yes install vim
+ 
diff -Nru 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
--- 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
1969-12-31 19:00:00.0 -0500
+++ 
singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff
2017-02-09 16:27:55.0 -0500
@@ -0,0 +1,14 @@
+From: Nekel-Seyew 
+Subject: added an ERRNO==ENOENT clause
+
+--- a/src/lib/file/group/group.c
 b/src/lib/file/group/group.c
+@@ -139,7 +139,7 @@ int singularity_file_group(void) {
+ singularity_message(VERBOSE3, "Found supplementary group 
membership in: %d\n", gids[i]);
+ singularity_message(VERBOSE2, "Adding user's supplementary 
group ('%s') info to template group file\n",