sylabs/singularity: Singularity 3.5.2 Release
Creators
- Gregory M. Kurtzer1
- cclerget
- Michael Bauer2
- Ian Kaneshiro
- David Godlove3
- WestleyK
- Vanessasaurus
- Yannick Cote4
- Geoffroy Vallee5
- David Trudgian6
- DrDaveD
- Marcelo Magallon2
- tri-adam
- Justin Cook2
- Jason Stover
- Joana Chavez
- Brian P Bockelman7
- Jacob Chappell
- Daniele Tamino
- Eduardo Arango8
- Sasha Yakovtseva
- Carl Madison
- Dave Love
- Mike Frisch
- Satrajit Ghosh9
- Amanda Duffy10
- Vadim Pisaruk
- Tru Huynh11
- Mike Gray12
- 1. Singularity Labs
- 2. @sylabs
- 3. Sylabs Inc
- 4. Red Hat
- 5. @Sylabs
- 6. Sylabs Inc.
- 7. Morgridge Institute for Research
- 8. @openshift
- 9. MIT
- 10. Lenovo
- 11. Unité de Bioinformatique Structurale, Institut Pasteur
- 12. Self
Description
The 3.5.2 release of Singularity contains fixes for a security issue related to incorrect file permissions (CVE-2019-19724) on user configuration and cache directories.
In Singularity >=3.3.0 (on all OS/kernels) the $HOME/.singularity
directory holding user configuration and caches is incorrectly created with 777 permissions. If the $HOME
directory of a user has group/any x
permission set, then a malicious user with login access to the host system may traverse into $HOME/.singularity
and:
- Inject a remote.yaml configuration file that can direct interactions with Sylabs cloud services / Singularity Enterprise to a malicious server. This may result in the execution of malicious container images.
- Read the content of a user's cached containers, which may include sensitive private data.
In Singularity >=2.4.0 (on all OS/kernels) the $HOME/.singularity
directory and any explicit SINGULARITY_CACHEDIR
directory are created with 755, or umask dependent permissions. If a user's $HOME
directory, or the directory containing an explicitly set SINGULARITY_CACHEDIR
, have group/any x
permission set, then a malicious user with login access to the host system may:
- Read the content of a user's cached containers, which may include sensitive private data.
Singularity 3.5.2 should be installed immediately, and all previous versions of Singularity should be removed.
Additionally, we recommend running chmod 700
against the .singularity
directory within all user $HOME directories, especially if $HOME directories may have group/any x
bits set on your system.
If no user $HOME
directories have group/any x
bits set, and SINGULARITY_CACHEDIR
has never been set to a location open to shared access, the exploits listed above are not possible.
If Singularity is configured to only run containers signed with keys specified in an execution control list, and these keys are not compromised, arbitrary malicious containers cannot be run with a remote.yaml
exploit.
Singularity 3.5.2 ensures 700
permissions are set on $HOME/.singularity
when the singularity
command is run by a user, and that 700
permissions are set for any existing or new explicit cache directory configured using the SINGULARITY_CACHEDIR
environment variable.
This release makes additional permission changes to further harden plugin operations against weak directory permissions / sudo secure umask settings, that should not occur without explicit administrator action.
Singularity Desktop for MacPrevious alpha and beta versions of Singularity Desktop for Mac are affected by this issue. A new beta release, beta-v0.2, is being prepared, and will be available shortly.
Patches against prior versionsIn keeping with our commitment to the open source community to release security patches incorporated into Singularity PRO, Sylabs is also releasing patches that can be applied to the 3.1, 2.6, 2.5, and 2.4 series. Even though 3.5.2 technically deprecates all previous open-source versions of Singularity, interested parties can find the patches to fix this specific issue at the following links:
- 3.1: https://repo.sylabs.io/security/2019/CVE-2019-19724-31.diff
- 2.6 / 2.5 / 2.4: https://repo.sylabs.io/security/2019/CVE-2019-19724-2x.diff
Note - these prior versions of Singularity may be subject to additional security issues, addressed by further patches released previously. Please review the release history carefully before using a deprecated version of Singularity.
Release Notes Security related fix- 700 permissions are enforced on
$HOME/.singularity
andSINGULARITY_CACHEDIR
directories (CVE-2019-19724). Many thanks to Stuart Barkley for reporting this issue.
- Fixes an issue preventing use of
.docker/config
for docker registry authentication. - Fixes the
run-help
command in the unprivileged workflow. - Fixes a regression in the
inspect
command to support older image formats. - Adds a workaround for an EL6 kernel bug regarding shared bind mounts.
- Fixes caching of http(s) sources with conflicting filenames.
- Fixes a fakeroot sandbox build error on certain filesystems, e.g. lustre, GPFS.
- Fixes a fakeroot build failure to a sandbox in $HOME.
- Fixes a fakeroot build failure from a bad def file section script location.
- Fixes container execution errors when CWD is a symlink.
- Provides a useful warning r.e. possible fakeroot build issues when seccomp support is not available.
- Fixes an issue where the
--disable-cache
option was not being honored.
Files
sylabs/singularity-v3.5.2.zip
Files
(4.0 MB)
Name | Size | Download all |
---|---|---|
md5:e825b91ad7e311dd9820f2b0e7e60d01
|
4.0 MB | Preview Download |
Additional details
Related works
- Is supplement to
- https://github.com/sylabs/singularity/tree/v3.5.2 (URL)