In singularity 3.7.2 and 3.7.3, action commands against library:// URIs erroneously always used the default remote endpoint (cloud.sylabs.io). An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
x86 done
amd64 done all arches done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=086e1d23d289498f83d7d321dc39ff1caaa79b9f commit 086e1d23d289498f83d7d321dc39ff1caaa79b9f Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2021-05-28 08:41:32 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2021-05-28 08:42:03 +0000 sys-cluster/singularity: drop 3.7.3 No versions vulnerable to CVE-2021-32635 left in the tree. Bug: https://bugs.gentoo.org/792465 Signed-off-by: Marek Szuba <marecki@gentoo.org> sys-cluster/singularity/Manifest | 1 - sys-cluster/singularity/singularity-3.7.3.ebuild | 73 ------------------------ 2 files changed, 74 deletions(-)
Thank you for the report!
Unable to check for sanity: > no match for package: =sys-cluster/singularity-3.7.4
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-50 at https://security.gentoo.org/glsa/202107-50 by GLSA coordinator John Helmert III (ajak).
