Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 746431 (CVE-2020-25039, CVE-2020-25040)

Summary: <sys-cluster/singularity-3.6.3: Multiple vulnerabilities (CVE-2020-{25039,25040})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: marecki
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-04 03:36:21 UTC 
CVE-2020-25039 (https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7):

Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.

CVE-2020-25040 (https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762):

Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
Comment 1 Larry the Git Cow gentoo-dev 2020-10-05 12:09:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48b50da8ccd7882fffb3a9239b7ac9cab6b6cbdc

commit 48b50da8ccd7882fffb3a9239b7ac9cab6b6cbdc
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-10-05 12:03:43 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-10-05 12:03:43 +0000

    sys-cluster/singularity: remove old
    
    Bug: https://bugs.gentoo.org/746431
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 sys-cluster/singularity/Manifest                 |  1 -
 sys-cluster/singularity/singularity-3.6.2.ebuild | 73 ------------------------
 2 files changed, 74 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-05 14:24:26 UTC 
Thanks!