Bug 1186619 - (CVE-2021-32635) VUL-0: CVE-2021-32635: singularity: Action commands against library URIs ignore configured remote endpoint
(CVE-2021-32635)
VUL-0: CVE-2021-32635: singularity: Action commands against library URIs igno...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Containers
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Christian Goll
Security Team bot
https://smash.suse.de/issue/300901/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-05-28 15:01 UTC by Gianluca Gabrielli
Modified: 2021-11-08 14:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-05-28 15:01:22 UTC
In singularity 3.7.2 and 3.7.3, action commands against library:// URIs erroneously always used the default remote endpoint (cloud.sylabs.io). An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1965512
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32635
Comment 1 Gianluca Gabrielli 2021-05-28 15:02:14 UTC
Affected package:
 - openSUSE:Factory/singularity 3.7.2
Comment 2 Christian Goll 2021-06-04 12:05:08 UTC
Will update factory packages,
Comment 3 OBSbugzilla Bot 2021-06-04 13:40:03 UTC
This is an autogenerated message for OBS integration:
This bug (1186619) was mentioned in
https://build.opensuse.org/request/show/897439 Backports:SLE-15-SP3 / singularity
https://build.opensuse.org/request/show/897440 Backports:SLE-15-SP2 / singularity
Comment 4 Swamp Workflow Management 2021-06-11 19:21:38 UTC
openSUSE-RU-2021:0867-1: An update that fixes two vulnerabilities is now available.

Category: recommended (moderate)
Bug References: 1186619
CVE References: CVE-2021-29136,CVE-2021-32635
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    singularity-3.7.4-bp152.2.24.1
Comment 5 Swamp Workflow Management 2021-07-08 19:20:15 UTC
openSUSE-SU-2021:0987-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1186619
CVE References: CVE-2021-29136,CVE-2021-32635
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    singularity-3.7.4-bp153.2.3.1
Comment 6 OBSbugzilla Bot 2021-10-26 10:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1186619) was mentioned in
https://build.opensuse.org/request/show/927451 15.3 / singularity