Bug 1174152 - (CVE-2020-13847) VUL-0: CVE-2020-13847: singularity: no signing of metadata in the global header or data object descriptors of a SIF file
(CVE-2020-13847)
VUL-0: CVE-2020-13847: singularity: no signing of metadata in the global head...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Major (vote)
: ---
Assigned To: Ana Guerrero
Security Team bot
https://smash.suse.de/issue/263372/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-15 08:25 UTC by Alexandros Toptsoglou
Modified: 2021-11-08 14:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-15 08:25:24 UTC
CVE-2020-13847

Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check.
Singularity's sign and verify commands do not sign metadata found in the global
header or data object descriptors of a SIF file.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13847
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-13847.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13847
https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v
https://medium.com/sylabs
Comment 1 Egbert Eich 2020-07-15 10:30:25 UTC
Bascially, this amounts to updating singularity 3.6.0 (please mention this CVE and bug ID), submitting it to Factory and providing a maintenance update for Leap 15.0, 15.1 and 15.2.
Comment 2 Ana Guerrero 2020-07-15 15:44:25 UTC
Singularity 3.6.0 updated in:

Factory:   https://build.opensuse.org/request/show/821083
Leap 15.2: https://build.opensuse.org/request/show/821122
Leap 15.1: https://build.opensuse.org/request/show/821131

Leap 15.0 has reached its end of life and does't have Go 1.13 needed by singularity since 3.5.
Comment 3 Swamp Workflow Management 2020-07-19 16:13:52 UTC
openSUSE-SU-2020:1011-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174148,1174150,1174152
CVE References: CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
Sources used:
openSUSE Leap 15.2 (src):    singularity-3.6.0-lp152.2.3.1
Comment 4 Swamp Workflow Management 2020-07-23 10:16:08 UTC
openSUSE-SU-2020:1037-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1125369,1128598,1159550,1174148,1174150,1174152
CVE References: CVE-2019-11328,CVE-2019-19724,CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
Sources used:
openSUSE Leap 15.1 (src):    singularity-3.6.0-lp151.2.6.1
Comment 5 Swamp Workflow Management 2020-09-18 16:49:55 UTC
openSUSE-SU-2020:1100-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1174148,1174150,1174152
CVE References: CVE-2020-13845,CVE-2020-13846,CVE-2020-13847
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    singularity-3.6.0-bp152.2.4.1