hpcng/singularity: Singularity 3.6.3
Creators
- Gregory M. Kurtzer1
- cclerget
- Michael Bauer2
- Ian Kaneshiro
- David Godlove3
- Vanessasaurus
- David Trudgian4
- Yannick Cote5
- Geoffroy Vallee
- DrDaveD
- Adam Hughes3
- Justin Cook6
- Jason Stover
- Brian P Bockelman7
- Marcelo Magallon8
- Jacob Chappell9
- Daniele Tamino
- Carlos Arango Gutierrez10
- Carl Madison
- Sasha Yakovtseva
- Mike Frisch
- Dave Love
- Amanda Duffy11
- Satrajit Ghosh12
- VP
- Tru Huynh13
- Mike Gray14
- Yaroslav Halchenko15
- Felix Abecassis16
- 1. Singularity Labs
- 2. Facebook
- 3. Sylabs Inc
- 4. @sylabs
- 5. Red Hat
- 6. @Linaro
- 7. Morgridge Institute for Research
- 8. @grafana
- 9. Chappell Consulting & Tutoring
- 10. @RedHatOfficial
- 11. Lenovo
- 12. MIT
- 13. Unité de Bioinformatique Structurale, Institut Pasteur
- 14. Self
- 15. Dartmouth College, @Debian, @DataLad, @PyMVPA, @fail2ban
- 16. NVIDIA
Description
Singularity 3.6.3 is an important security release. Please read the release notes below carefully.
Security related fixesSingularity 3.6.3 addresses the following security issues.
CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
- Add CAP_MKNOD in capability bounding set of RPC to fix issue with cryptsetup when decrypting image from within a docker container.
- Fix decryption issue when using both IPC and PID namespaces.
- Fix unsupported builtins panic from shell interpreter and add umask support for definition file scripts.
- Do not load keyring in prepare_linux if ECL not enabled.
- Ensure sandbox option overrides remote build destination.
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
- 2.4: https://repo.sylabs.io/security/2020/CVE-2020-25040-24.diff
- 2.5: https://repo.sylabs.io/security/2020/CVE-2020-25040-25.diff
- 2.6: https://repo.sylabs.io/security/2020/CVE-2020-25040-26.diff
- 3.1: https://repo.sylabs.io/security/2020/CVE-2020-25040-31.diff
- 3.5: https://repo.sylabs.io/security/2020/CVE-2020-25040-35.diff
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!
Files
hpcng/singularity-v3.6.3.zip
Files
(2.1 MB)
| Name | Size | Download all |
|---|---|---|
|
md5:fb6ff0525af634e22f50e29ff35bde37
|
2.1 MB | Preview Download |
Additional details
Related works
- Is supplement to
- https://github.com/hpcng/singularity/tree/v3.6.3 (URL)