Summary: | <app-containers/apptainer-1.1.8: privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | marecki |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg | ||
Whiteboard: | B1 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 905115 | ||
Bug Blocks: |
Description
John Helmert III
2023-04-26 02:51:11 UTC
Will be ready for a GLSA as soon as 1.1.8 has been stabilised. And speaking of GLSA: - if I am reading this correctly the bug is actually in the kernel and all that apptainer-1.1.8 does is make it more difficult to exploit this, isn't it? Might make sense to think about how to phrase this, assuming we actually NEED a GLSA for apptainer in the first place given the above; - likewise, it might be worth mentioning that >=1.1.0 are only affected when emerged with USE=suid, which is a non-default value of this flag. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=778c8b1da6041f6b5e8291d1b8daa5f6e269f6f1 commit 778c8b1da6041f6b5e8291d1b8daa5f6e269f6f1 Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2023-04-26 14:37:42 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2023-04-26 14:37:42 +0000 app-containers/apptainer: drop 1.1.6 This leaves only 1.1.8 in the tree. Bug: https://bugs.gentoo.org/905091 Signed-off-by: Marek Szuba <marecki@gentoo.org> app-containers/apptainer/Manifest | 1 - app-containers/apptainer/apptainer-1.1.6.ebuild | 92 ------------------------- 2 files changed, 93 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9040219bda064f70fe25f1a8b7fcb4aac9147a22 commit 9040219bda064f70fe25f1a8b7fcb4aac9147a22 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-11-25 10:47:30 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-11-25 10:48:03 +0000 [ GLSA 202311-13 ] Apptainer: Privilege Escalation Bug: https://bugs.gentoo.org/905091 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202311-13.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) |