Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733238 (CVE-2020-13845, CVE-2020-13846, CVE-2020-13847) - <sys-cluster/singularity-3.6.0: Multiple vulnerabilities (CVE-2020-{13845,13846,13847})
Summary: <sys-cluster/singularity-3.6.0: Multiple vulnerabilities (CVE-2020-{13845,138...
Status: RESOLVED FIXED
Alias: CVE-2020-13845, CVE-2020-13846, CVE-2020-13847
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/hpcng/singularity/...
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-19 19:41 UTC by John Helmert III (ajak)
Modified: 2020-07-21 16:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) gentoo-dev Security 2020-07-19 19:41:37 UTC
CVE-2020-13845:

The Singularity Execution Control List (ECL) allows system administrators to set up a policy that defines rules about what signature(s) must be (or must not be) present on a SIF container image for it to be permitted to run.

In Singularity 3.x versions below 3.6.0, the following issues allow the ECL to be bypassed by a malicious user:

    Image integrity is not validated when an ECL policy is enforced.
    The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Thus, it is trivial to craft an arbitrary payload which will be permitted to run, even if the attacker does not have access to the private key associated with the fingerprint(s) configured in the ECL.

CVE-2020-13846:

The --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified.

The SIF objects that are not verified are reported in WARNING log messages, but a Container Verified message and exit code of 0 are returned.

Workflows that verify a container using --all / -a and use the exit code as an indicator of success are vulnerable to running SIF containers that have unsigned, or modified, objects that may be exploited to introduce malicious behavior.

CVE-2020-13847:

In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.
Comment 1 John Helmert III (ajak) gentoo-dev Security 2020-07-19 19:42:25 UTC
Maintainer, please bump to 3.6.0.
Comment 2 Larry the Git Cow gentoo-dev 2020-07-21 15:16:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=042d44f63a5f66394ffa94e0e904f5437d349d1f

commit 042d44f63a5f66394ffa94e0e904f5437d349d1f
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-07-21 15:14:59 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-07-21 15:14:59 +0000

    sys-cluster/singularity: remove old
    
    2.6.1 is ancient and doesn't support Python versions newer than 3.6,
    3.5.3 has several known security vulnerabilities.
    
    Bug: https://bugs.gentoo.org/733238
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 sys-cluster/singularity/Manifest                   |  2 -
 sys-cluster/singularity/singularity-2.6.1.ebuild   | 44 --------------
 .../singularity/singularity-3.5.3-r1.ebuild        | 69 ----------------------
 3 files changed, 115 deletions(-)
Comment 3 John Helmert III (ajak) gentoo-dev Security 2020-07-21 16:57:02 UTC
(In reply to Larry the Git Cow from comment #2)
> The bug has been referenced in the following commit(s):
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=042d44f63a5f66394ffa94e0e904f5437d349d1f
> 
> commit 042d44f63a5f66394ffa94e0e904f5437d349d1f
> Author:     Marek Szuba <marecki@gentoo.org>
> AuthorDate: 2020-07-21 15:14:59 +0000
> Commit:     Marek Szuba <marecki@gentoo.org>
> CommitDate: 2020-07-21 15:14:59 +0000
> 
>     sys-cluster/singularity: remove old
>     
>     2.6.1 is ancient and doesn't support Python versions newer than 3.6,
>     3.5.3 has several known security vulnerabilities.
>     
>     Bug: https://bugs.gentoo.org/733238
>     Signed-off-by: Marek Szuba <marecki@gentoo.org>
> 
>  sys-cluster/singularity/Manifest                   |  2 -
>  sys-cluster/singularity/singularity-2.6.1.ebuild   | 44 --------------
>  .../singularity/singularity-3.5.3-r1.ebuild        | 69
> ----------------------
>  3 files changed, 115 deletions(-)

Thanks. Cleanup done, noglsa, closing.