Security update for singularity SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1037-1 Final 1 1 2020-07-23T04:22:25Z current 2020-07-23T04:22:25Z 2020-07-23T04:22:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for singularity This update for singularity fixes the following issues: - New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems: - CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user. - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior. - New features / functionalities - A new '--legacy-insecure' flag to verify allows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for instance list that shows the paths to instance STDERR / STDOUT log files. - The --json output of instance list now include paths to STDERR / STDOUT log files. - Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g. docker://hello-world. - A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6. - The --bind flag can now bind directories from a SIF or ext3 image into a container. - The --fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). - This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime. - A new -c/--config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation. - A new --env flag allows container environment variables to be set via the Singularity command line. - A new --env-file flag allows container environment variables to be set from a specified file. - A new --days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name. - Changed defaults / behaviours - New signature format (see security fixes above). - Fixed spacing of singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names. - Environment variables prefixed with SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix. - The %post build section inherits environment variables from the base image. - %files from ... will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour. - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container. - The %test build section is executed the same manner as singularity test image. --fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior. - Deprecate -a / --all option to sign/verify as new signature behavior makes this the default. - For more information about upstream changes, please check: https://github.com/hpcng/singularity/blob/master/CHANGELOG.md - Removed --name flag for cache clean; replaced with --days. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1037 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ E-Mail link for openSUSE-SU-2020:1037-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1125369 SUSE Bug 1125369 https://bugzilla.suse.com/1128598 SUSE Bug 1128598 https://bugzilla.suse.com/1159550 SUSE Bug 1159550 https://bugzilla.suse.com/1174148 SUSE Bug 1174148 https://bugzilla.suse.com/1174150 SUSE Bug 1174150 https://bugzilla.suse.com/1174152 SUSE Bug 1174152 https://www.suse.com/security/cve/CVE-2019-11328/ SUSE CVE CVE-2019-11328 page https://www.suse.com/security/cve/CVE-2019-19724/ SUSE CVE CVE-2019-19724 page https://www.suse.com/security/cve/CVE-2020-13845/ SUSE CVE CVE-2020-13845 page https://www.suse.com/security/cve/CVE-2020-13846/ SUSE CVE CVE-2020-13846 page https://www.suse.com/security/cve/CVE-2020-13847/ SUSE CVE CVE-2020-13847 page openSUSE Leap 15.1 singularity-3.6.0-lp151.2.6.1 singularity-3.6.0-lp151.2.6.1 as a component of openSUSE Leap 15.1 An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host. CVE-2019-11328 openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1 important 9 AV:N/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ https://www.suse.com/security/cve/CVE-2019-11328.html CVE-2019-11328 https://bugzilla.suse.com/1128598 SUSE Bug 1128598 Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. CVE-2019-19724 openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1 important 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ https://www.suse.com/security/cve/CVE-2019-19724.html CVE-2019-19724 https://bugzilla.suse.com/1159550 SUSE Bug 1159550 Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. CVE-2020-13845 openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ https://www.suse.com/security/cve/CVE-2020-13845.html CVE-2020-13845 https://bugzilla.suse.com/1174150 SUSE Bug 1174150 Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. CVE-2020-13846 openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ https://www.suse.com/security/cve/CVE-2020-13846.html CVE-2020-13846 https://bugzilla.suse.com/1174148 SUSE Bug 1174148 Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. CVE-2020-13847 openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1 important 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/ https://www.suse.com/security/cve/CVE-2020-13847.html CVE-2020-13847 https://bugzilla.suse.com/1174152 SUSE Bug 1174152