apptainer/singularity v3.6.3

Singularity 3.6.3

on GitHub

Singularity 3.6.3 is an important security release. Please read the release notes below carefully.

Security related fixes

Singularity 3.6.3 addresses the following security issues.

• CVE-2020-25039: When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.

• CVE-2020-25040: When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.

Bug Fixes

• Add CAP_MKNOD in capability bounding set of RPC to fix issue with cryptsetup when decrypting image from within a docker container.
• Fix decryption issue when using both IPC and PID namespaces.
• Fix unsupported builtins panic from shell interpreter and add umask support for definition file scripts.
• Do not load keyring in prepare_linux if ECL not enabled.
• Ensure sandbox option overrides remote build destination.

In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:

• 2.4: https://repo.sylabs.io/security/2020/CVE-2020-25040-24.diff
• 2.5: https://repo.sylabs.io/security/2020/CVE-2020-25040-25.diff
• 2.6: https://repo.sylabs.io/security/2020/CVE-2020-25040-26.diff
• 3.1: https://repo.sylabs.io/security/2020/CVE-2020-25040-31.diff
• 3.5: https://repo.sylabs.io/security/2020/CVE-2020-25040-35.diff

Thanks to our contributors for code, feedback and, testing efforts!

As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new

If you think that you've discovered a security vulnerability please report it to: security@sylabs.io

Have fun!