Bug 1100333 - (CVE-2018-12021) VUL-0: CVE-2018-12021: singularity: Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control onsystems supporting overlay file system
(CVE-2018-12021)
VUL-0: CVE-2018-12021: singularity: Singularity 2.3.0 through 2.5.1 is affect...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 42.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Egbert Eich
Security Team bot
https://smash.suse.de/issue/209630/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-06 05:03 UTC by Marcus Meissner
Modified: 2021-11-08 14:35 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-06 05:03:23 UTC
CVE-2018-12021

Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on
systems supporting overlay file system. When using the overlay option, a
malicious user may access sensitive information by exploiting a few specific
Singularity features.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12021
https://github.com/singularityware/singularity/releases/tag/2.5.2
Comment 1 Christian Goll 2018-07-06 08:36:29 UTC
Created SR in obs for this issue.
Comment 2 Egbert Eich 2018-07-11 06:21:47 UTC
I've accepted Christian's SR, added a cleanup on top and submitted it to Factory.

There are two issues remaining:
1. The reason for singularity still being 2.3 was the still pending issue that 
   the singularity image has been using squashfs by default since 2.4.
   I'm still waiting for a security assessment on this.
2. We cannot update the package in PackageHub unless we update the permissions 
   file for SLE-12(-SP2/3) as well.

Marcus, what's your suggestion on how we should proceed?
Comment 3 Swamp Workflow Management 2018-07-11 06:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1100333) was mentioned in
https://build.opensuse.org/request/show/622011 Factory / singularity
Comment 4 Marcus Meissner 2018-07-11 12:53:18 UTC
https://github.com/singularityware/singularity/commit/6641c446105e86fe68d72c72571a5307d9d831a1

this is the patch for this issue I think.
Comment 5 Egbert Eich 2018-07-11 13:05:33 UTC
So, in other words you would suggest to backport the patch for package hub instead of updating?
I'm not sure about the packageHub policy - if it is possible to backport a fix like this as the same commit is not part of Factory. 
Wolfgang - what do you think? Would it help to get a (fixed) singularity package into Leap 42.3?
Comment 6 Marcus Meissner 2018-07-11 14:25:22 UTC
A backport would be the easy way to avoid waiting for other dependencies.

if you want the new versions we can work towards that, but this will probably take longer.
Comment 7 Egbert Eich 2018-07-11 19:54:58 UTC
Ok, this particular use of the overlay fs was not even part of 2.3.2. I did backport the fix the other issues that was 'sneaked' into the same commit.

The results can be found in home:eeich:branches:OBS_Maintained:singularity singularity.openSUSE_Backports_SLE-12-SP3.
I did revoke the SR of 2.5.2 to Factory, however it is still in the devel project. If we need this fix in Factory, we need to switch to a different devel project.
I've created an MR for PackageHub now: ID 622172.
Comment 8 Swamp Workflow Management 2018-07-11 20:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1100333) was mentioned in
https://build.opensuse.org/request/show/622172 Backports:SLE-12-SP3 / singularity
Comment 9 Swamp Workflow Management 2018-07-16 13:08:04 UTC
openSUSE-SU-2018:1969-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100333
CVE References: CVE-2018-12021
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    singularity-2.3.2-11.1
Comment 10 Wolfgang Engel 2018-07-16 21:40:22 UTC
Hi Egbert, please let me know when you are ready to (In reply to Egbert Eich from comment #5)
> So, in other words you would suggest to backport the patch for package hub
> instead of updating?
> I'm not sure about the packageHub policy - if it is possible to backport a
> fix like this as the same commit is not part of Factory. 
> Wolfgang - what do you think? Would it help to get a (fixed) singularity
> package into Leap 42.3?

That's okay since we are also able to pick this up from Leap 42.3.
Comment 11 Egbert Eich 2018-07-18 20:48:00 UTC
(In reply to Wolfgang Engel from comment #10)
> Hi Egbert, please let me know when you are ready to (In reply to Egbert Eich
> from comment #5)
> > So, in other words you would suggest to backport the patch for package hub
> > instead of updating?
> > I'm not sure about the packageHub policy - if it is possible to backport a
> > fix like this as the same commit is not part of Factory. 
> > Wolfgang - what do you think? Would it help to get a (fixed) singularity
> > package into Leap 42.3?
> 
> That's okay since we are also able to pick this up from Leap 42.3.

Wolfgang, I've MRed an update for PackageHub (see comment #8). Singularity is not in 42.3 so far. Meanwhile the update has been released already (See comment #9).
ATM I don't plan to put singularity in Leap 42.3 (or 15.0) - I would much prefer to get some auditing for version 2.5.2.
Comment 12 Swamp Workflow Management 2018-10-14 11:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1100333) was mentioned in
https://build.opensuse.org/request/show/641919 Backports:SLE-15 / singularity
Comment 13 Swamp Workflow Management 2018-10-14 12:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1100333) was mentioned in
https://build.opensuse.org/request/show/641924 15.0+Backports:SLE-15 / singularity
Comment 14 Swamp Workflow Management 2018-10-14 18:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1100333) was mentioned in
https://build.opensuse.org/request/show/641942 15.0 / singularity
Comment 15 Swamp Workflow Management 2018-10-23 13:16:35 UTC
openSUSE-SU-2018:3316-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1100333
CVE References: CVE-2018-12021
Sources used:
openSUSE Leap 15.0 (src):    singularity-2.6.0-lp150.2.3.1
openSUSE Backports SLE-15 (src):    singularity-2.6.0-bp150.3.3.1
Comment 16 Swamp Workflow Management 2019-01-29 14:14:42 UTC
openSUSE-SU-2019:0095-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1100333,1111411
CVE References: CVE-2018-12021,CVE-2018-19295
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    singularity-2.6.1-14.1