Bugzilla – Bug 1100333
VUL-0: CVE-2018-12021: singularity: Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control onsystems supporting overlay file system
Last modified: 2021-11-08 14:35:17 UTC
CVE-2018-12021 Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12021 https://github.com/singularityware/singularity/releases/tag/2.5.2
Created SR in obs for this issue.
I've accepted Christian's SR, added a cleanup on top and submitted it to Factory. There are two issues remaining: 1. The reason for singularity still being 2.3 was the still pending issue that the singularity image has been using squashfs by default since 2.4. I'm still waiting for a security assessment on this. 2. We cannot update the package in PackageHub unless we update the permissions file for SLE-12(-SP2/3) as well. Marcus, what's your suggestion on how we should proceed?
This is an autogenerated message for OBS integration: This bug (1100333) was mentioned in https://build.opensuse.org/request/show/622011 Factory / singularity
https://github.com/singularityware/singularity/commit/6641c446105e86fe68d72c72571a5307d9d831a1 this is the patch for this issue I think.
So, in other words you would suggest to backport the patch for package hub instead of updating? I'm not sure about the packageHub policy - if it is possible to backport a fix like this as the same commit is not part of Factory. Wolfgang - what do you think? Would it help to get a (fixed) singularity package into Leap 42.3?
A backport would be the easy way to avoid waiting for other dependencies. if you want the new versions we can work towards that, but this will probably take longer.
Ok, this particular use of the overlay fs was not even part of 2.3.2. I did backport the fix the other issues that was 'sneaked' into the same commit. The results can be found in home:eeich:branches:OBS_Maintained:singularity singularity.openSUSE_Backports_SLE-12-SP3. I did revoke the SR of 2.5.2 to Factory, however it is still in the devel project. If we need this fix in Factory, we need to switch to a different devel project. I've created an MR for PackageHub now: ID 622172.
This is an autogenerated message for OBS integration: This bug (1100333) was mentioned in https://build.opensuse.org/request/show/622172 Backports:SLE-12-SP3 / singularity
openSUSE-SU-2018:1969-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1100333 CVE References: CVE-2018-12021 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): singularity-2.3.2-11.1
Hi Egbert, please let me know when you are ready to (In reply to Egbert Eich from comment #5) > So, in other words you would suggest to backport the patch for package hub > instead of updating? > I'm not sure about the packageHub policy - if it is possible to backport a > fix like this as the same commit is not part of Factory. > Wolfgang - what do you think? Would it help to get a (fixed) singularity > package into Leap 42.3? That's okay since we are also able to pick this up from Leap 42.3.
(In reply to Wolfgang Engel from comment #10) > Hi Egbert, please let me know when you are ready to (In reply to Egbert Eich > from comment #5) > > So, in other words you would suggest to backport the patch for package hub > > instead of updating? > > I'm not sure about the packageHub policy - if it is possible to backport a > > fix like this as the same commit is not part of Factory. > > Wolfgang - what do you think? Would it help to get a (fixed) singularity > > package into Leap 42.3? > > That's okay since we are also able to pick this up from Leap 42.3. Wolfgang, I've MRed an update for PackageHub (see comment #8). Singularity is not in 42.3 so far. Meanwhile the update has been released already (See comment #9). ATM I don't plan to put singularity in Leap 42.3 (or 15.0) - I would much prefer to get some auditing for version 2.5.2.
This is an autogenerated message for OBS integration: This bug (1100333) was mentioned in https://build.opensuse.org/request/show/641919 Backports:SLE-15 / singularity
This is an autogenerated message for OBS integration: This bug (1100333) was mentioned in https://build.opensuse.org/request/show/641924 15.0+Backports:SLE-15 / singularity
This is an autogenerated message for OBS integration: This bug (1100333) was mentioned in https://build.opensuse.org/request/show/641942 15.0 / singularity
openSUSE-SU-2018:3316-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1100333 CVE References: CVE-2018-12021 Sources used: openSUSE Leap 15.0 (src): singularity-2.6.0-lp150.2.3.1 openSUSE Backports SLE-15 (src): singularity-2.6.0-bp150.3.3.1
openSUSE-SU-2019:0095-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1100333,1111411 CVE References: CVE-2018-12021,CVE-2018-19295 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): singularity-2.6.1-14.1