Singularity 3.6.4 is an important security release. Please read the release notes below carefully.
Security related fixes
Singularity 3.6.4 addresses the following security issues.
- CVE-2020-15229: Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs (a distribution provided utility used by Singularity), it is possible to overwrite/create files on the host filesystem during the extraction of a crafted squashfs filesystem. Affects unprivileged execution of SIF / SquashFS images, and image builds from SIF / SquashFS images.
Please see the published security advisories at https://github.com/hpcng/singularity/security/advisories for full detail of these security issues.
Bug Fixes
- Update scs-library-client to support library:// backends using a 3rd party S3 object store that does not strictly conform to v4 signature spec.
Patches against prior versions
In keeping with their commitment to the open source community to release security patches incorporated into SingularityPRO, Sylabs is releasing the following diffs that contain security content only:
3.1: https://repo.sylabs.io/security/2020/CVE-2020-15229-31.diff
3.5: https://repo.sylabs.io/security/2020/CVE-2020-15229-35.diff
Thanks to our contributors for code, feedback and, testing efforts!
As always, please report any bugs to: https://github.com/hpcng/singularity/issues/new
If you think that you've discovered a security vulnerability please report it to: security@sylabs.io
Have fun!