First Last Prev Next    This bug is not in your last search results.
Bug 1174150 - (CVE-2020-13845) VUL-0: CVE-2020-13845: singularity: improper validation of an Integrity Check Value when ECL policy is enforced
(CVE-2020-13845)
VUL-0: CVE-2020-13845: singularity: improper validation of an Integrity Check...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Ana Guerrero
Security Team bot
https://smash.suse.de/issue/263370/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-15 08:18 UTC by Alexandros Toptsoglou
Modified: 2021-11-08 14:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-15 08:18:43 UTC 
CVE-2020-13845

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check
Value. Image integrity is not validated when an ECL policy is enforced. The
fingerprint required by the ECL is compared against the signature object
descriptor(s) in the SIF file, rather than to a cryptographically validated
signature.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13845
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13845.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13845
https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
https://medium.com/sylabs
Comment 1 Egbert Eich 2020-07-15 10:29:54 UTC 
Bascially, this amounts to updating singularity 3.6.0 (please mention this CVE and bug ID), submitting it to Factory and providing a maintenance update for Leap 15.0, 15.1 and 15.2.
Comment 2 Ana Guerrero 2020-07-15 15:44:15 UTC 
Singularity 3.6.0 updated in:

Factory:   https://build.opensuse.org/request/show/821083
Leap 15.2: https://build.opensuse.org/request/show/821122
Leap 15.1: https://build.opensuse.org/request/show/821131

Leap 15.0 has reached its end of life and does't have Go 1.13 needed by singularity since 3.5.
Comment 3 Swamp Workflow Management 2020-07-19 16:13:46 UTC 
openSUSE-SU-2020:1011-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174148,1174150,1174152
CVE References: CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
Sources used:
openSUSE Leap 15.2 (src):    singularity-3.6.0-lp152.2.3.1
Comment 4 Swamp Workflow Management 2020-07-23 10:16:02 UTC 
openSUSE-SU-2020:1037-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1125369,1128598,1159550,1174148,1174150,1174152
CVE References: CVE-2019-11328,CVE-2019-19724,CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
Sources used:
openSUSE Leap 15.1 (src):    singularity-3.6.0-lp151.2.6.1
Comment 5 Swamp Workflow Management 2020-09-18 16:49:48 UTC 
openSUSE-SU-2020:1100-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174148,1174150,1174152
CVE References: CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    singularity-3.6.0-bp152.2.4.1
First Last Prev Next    This bug is not in your last search results.