CVE-2020-13845: The Singularity Execution Control List (ECL) allows system administrators to set up a policy that defines rules about what signature(s) must be (or must not be) present on a SIF container image for it to be permitted to run. In Singularity 3.x versions below 3.6.0, the following issues allow the ECL to be bypassed by a malicious user: Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Thus, it is trivial to craft an arbitrary payload which will be permitted to run, even if the attacker does not have access to the private key associated with the fingerprint(s) configured in the ECL. CVE-2020-13846: The --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified. The SIF objects that are not verified are reported in WARNING log messages, but a Container Verified message and exit code of 0 are returned. Workflows that verify a container using --all / -a and use the exit code as an indicator of success are vulnerable to running SIF containers that have unsigned, or modified, objects that may be exploited to introduce malicious behavior. CVE-2020-13847: In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.
Maintainer, please bump to 3.6.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=042d44f63a5f66394ffa94e0e904f5437d349d1f commit 042d44f63a5f66394ffa94e0e904f5437d349d1f Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-07-21 15:14:59 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-07-21 15:14:59 +0000 sys-cluster/singularity: remove old 2.6.1 is ancient and doesn't support Python versions newer than 3.6, 3.5.3 has several known security vulnerabilities. Bug: https://bugs.gentoo.org/733238 Signed-off-by: Marek Szuba <marecki@gentoo.org> sys-cluster/singularity/Manifest | 2 - sys-cluster/singularity/singularity-2.6.1.ebuild | 44 -------------- .../singularity/singularity-3.5.3-r1.ebuild | 69 ---------------------- 3 files changed, 115 deletions(-)
(In reply to Larry the Git Cow from comment #2) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=042d44f63a5f66394ffa94e0e904f5437d349d1f > > commit 042d44f63a5f66394ffa94e0e904f5437d349d1f > Author: Marek Szuba <marecki@gentoo.org> > AuthorDate: 2020-07-21 15:14:59 +0000 > Commit: Marek Szuba <marecki@gentoo.org> > CommitDate: 2020-07-21 15:14:59 +0000 > > sys-cluster/singularity: remove old > > 2.6.1 is ancient and doesn't support Python versions newer than 3.6, > 3.5.3 has several known security vulnerabilities. > > Bug: https://bugs.gentoo.org/733238 > Signed-off-by: Marek Szuba <marecki@gentoo.org> > > sys-cluster/singularity/Manifest | 2 - > sys-cluster/singularity/singularity-2.6.1.ebuild | 44 -------------- > .../singularity/singularity-3.5.3-r1.ebuild | 69 > ---------------------- > 3 files changed, 115 deletions(-) Thanks. Cleanup done, noglsa, closing.