cvelistv5 - cve-2019-11328

CVE-2019-11328 (GCVE-0-2019-11328)

Vulnerability from cvelistv5 – Published: 2019-05-14 20:24 – Updated: 2024-08-04 22:48

Summary

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

OPENSUSE-SU-2024:11384-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

singularity-3.8.3-1.2 on GA media

Notes

Title of the patch

singularity-3.8.3-1.2 on GA media

Description of the patch

These are all security issues fixed in the singularity-3.8.3-1.2 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11384

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "singularity-3.8.3-1.2 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the singularity-3.8.3-1.2 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11384",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11384-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-12021 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-12021/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-19295 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-19295/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-11328 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-11328/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-19724 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-19724/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13845 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13845/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13846 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13846/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13847 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13847/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-15229 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-15229/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-25039 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-25039/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-25040 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-25040/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-29136 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-29136/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-32635 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-32635/"
      }
    ],
    "title": "singularity-3.8.3-1.2 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11384-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.8.3-1.2.aarch64",
                "product": {
                  "name": "singularity-3.8.3-1.2.aarch64",
                  "product_id": "singularity-3.8.3-1.2.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.8.3-1.2.ppc64le",
                "product": {
                  "name": "singularity-3.8.3-1.2.ppc64le",
                  "product_id": "singularity-3.8.3-1.2.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.8.3-1.2.s390x",
                "product": {
                  "name": "singularity-3.8.3-1.2.s390x",
                  "product_id": "singularity-3.8.3-1.2.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.8.3-1.2.x86_64",
                "product": {
                  "name": "singularity-3.8.3-1.2.x86_64",
                  "product_id": "singularity-3.8.3-1.2.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.8.3-1.2.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64"
        },
        "product_reference": "singularity-3.8.3-1.2.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.8.3-1.2.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le"
        },
        "product_reference": "singularity-3.8.3-1.2.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.8.3-1.2.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x"
        },
        "product_reference": "singularity-3.8.3-1.2.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.8.3-1.2.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        },
        "product_reference": "singularity-3.8.3-1.2.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-12021",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-12021"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-12021",
          "url": "https://www.suse.com/security/cve/CVE-2018-12021"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1100333 for CVE-2018-12021",
          "url": "https://bugzilla.suse.com/1100333"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1111411 for CVE-2018-12021",
          "url": "https://bugzilla.suse.com/1111411"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1128598 for CVE-2018-12021",
          "url": "https://bugzilla.suse.com/1128598"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-12021"
    },
    {
      "cve": "CVE-2018-19295",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-19295"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-19295",
          "url": "https://www.suse.com/security/cve/CVE-2018-19295"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1111411 for CVE-2018-19295",
          "url": "https://bugzilla.suse.com/1111411"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-19295"
    },
    {
      "cve": "CVE-2019-11328",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-11328"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-11328",
          "url": "https://www.suse.com/security/cve/CVE-2019-11328"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1128598 for CVE-2019-11328",
          "url": "https://bugzilla.suse.com/1128598"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-11328"
    },
    {
      "cve": "CVE-2019-19724",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-19724"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-19724",
          "url": "https://www.suse.com/security/cve/CVE-2019-19724"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1159550 for CVE-2019-19724",
          "url": "https://bugzilla.suse.com/1159550"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-19724"
    },
    {
      "cve": "CVE-2020-13845",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13845"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13845",
          "url": "https://www.suse.com/security/cve/CVE-2020-13845"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174150 for CVE-2020-13845",
          "url": "https://bugzilla.suse.com/1174150"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13845"
    },
    {
      "cve": "CVE-2020-13846",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13846"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13846",
          "url": "https://www.suse.com/security/cve/CVE-2020-13846"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174148 for CVE-2020-13846",
          "url": "https://bugzilla.suse.com/1174148"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13846"
    },
    {
      "cve": "CVE-2020-13847",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13847"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity\u0027s sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13847",
          "url": "https://www.suse.com/security/cve/CVE-2020-13847"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174152 for CVE-2020-13847",
          "url": "https://bugzilla.suse.com/1174152"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13847"
    },
    {
      "cve": "CVE-2020-15229",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-15229"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-15229",
          "url": "https://www.suse.com/security/cve/CVE-2020-15229"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177901 for CVE-2020-15229",
          "url": "https://bugzilla.suse.com/1177901"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2020-15229"
    },
    {
      "cve": "CVE-2020-25039",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-25039"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-25039",
          "url": "https://www.suse.com/security/cve/CVE-2020-25039"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1176705 for CVE-2020-25039",
          "url": "https://bugzilla.suse.com/1176705"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1176707 for CVE-2020-25039",
          "url": "https://bugzilla.suse.com/1176707"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-25039"
    },
    {
      "cve": "CVE-2020-25040",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-25040"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-25040",
          "url": "https://www.suse.com/security/cve/CVE-2020-25040"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1176707 for CVE-2020-25040",
          "url": "https://bugzilla.suse.com/1176707"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-25040"
    },
    {
      "cve": "CVE-2021-29136",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-29136"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when \"umoci unpack\" or \"umoci raw unpack\" is used.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-29136",
          "url": "https://www.suse.com/security/cve/CVE-2021-29136"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1184147 for CVE-2021-29136",
          "url": "https://bugzilla.suse.com/1184147"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2021-29136"
    },
    {
      "cve": "CVE-2021-32635",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-32635"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
          "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-32635",
          "url": "https://www.suse.com/security/cve/CVE-2021-32635"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1186619 for CVE-2021-32635",
          "url": "https://bugzilla.suse.com/1186619"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.aarch64",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.ppc64le",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.s390x",
            "openSUSE Tumbleweed:singularity-3.8.3-1.2.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-32635"
    }
  ]
}

OPENSUSE-SU-2019:2288-1

Vulnerability from csaf_opensuse - Published: 2019-10-07 15:31 - Updated: 2019-10-07 15:31

Summary

Security update for singularity

Notes

Title of the patch

Security update for singularity

Description of the patch

This update for singularity fixes the following issues: singularity was updated to version 3.4.1: This point release addresses the following issues: - Fixes an issue where a PID namespace was always being used - Fixes compilation on non 64-bit architectures - Allows fakeroot builds for zypper, pacstrap, and debootstrap - Correctly detects seccomp on OpenSUSE - Honors GO_MODFLAGS properly in the mconfig generated makefile - Passes the Mac hostname to the VM in MacOS Singularity builds - Handles temporary EAGAIN failures when setting up loop devices on recent kernels. New version 3.4.0. Many changes since 3.2.1, for the full changelog please read CHANGELOG.md Update to version 3.2.1: This point release fixes the following bugs: - Allows users to join instances with non-suid workflow - Removes false warning when seccomp is disabled on the host - Fixes an issue in the terminal when piping output to commands - Binds NVIDIA persistenced socket when `--nv` is invoked Improve integration with SUSE Products: add support to create Singularity images with SLE. * Newer SUSE versions use a different path for the RPM database. * When the installation succeeds by an installation scriptlet fails zypper returns error code 107. Don't treat this as an error. * In order to specify a repository GPG key, add support for multi line variables. * In order to specify a list of additional repos, add support to 'indexed' variables. * Improve handling of SUSE repositires: - For SLE, use SUSEConnect to get all product repos. - Allow to specify a repository GPG key. - Allow to specify additional installation repositories. - Add group 'singularity', fix ownerships. Updated to singularity v3.2.0 * CVE-2019-11328: Instance files are now stored in user's home directory for privacy and many checks have been added to ensure that a user can't manipulate files to change `starter-suid` behavior when instances are joined (many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability) (boo#1128598) * New features / functionalities - Introduced a new basic framework for creating and managing plugins - Added the ability to create containers through multi-stage builds - Created the concept of a Sylabs Cloud 'remote' endpoint and added the ability for users and admins to set them through CLI and conf files - Added caching for images from Singularity Hub - Made it possible to compile Singularity outside of `$GOPATH` - Added a json partition to SIF files for OCI configuration when building from an OCI source - Full integration with Singularity desktop for MacOS code base * New Commands - Introduced the `plugin` command group for creating and managing plugins. * Introduced the `remote` command group to support management of Singularity endpoints. * Added to the `key` command group to improve PGP key management. * Added the `Stage: <name>` keyword to the definition file header and the `from <stage name>` option/argument pair to the `%files` section to support multistage builds * Deprecated / removed commands - The `--token/-t` option has been deprecated in favor of the `singularity remote` command group * Changed defaults / behaviors - Ask to confirm password on a newly generated PGP key - Prompt to push a key to the KeyStore when generated - Refuse to push an unsigned container unless overridden with `--allow-unauthenticated/-U` option - Warn and prompt when pulling an unsigned container without the `--allow-unauthenticated/-U` option For more information check: https://github.com/sylabs/singularity/blob/release-3.2/CHANGELOG.md Updated to singularity v3.1.1: * New Commands - New hidden `buildcfg` command to display compile-time parameters - Added support for `LDFLAGS`, `CFLAGS`, `CGO_` variables in build system - Added `--nocolor` flag to Singularity client to disable color in logging * Removed Commands - `singularity capability <add/drop> --desc` has been removed - `singularity capability list <--all/--group/--user>` flags have all been removed * New features / functionalities - The `--builder` flag to the `build` command implicitly sets `--remote` - Repeated binds no longer cause Singularity to exit and fail, just warn instead - Corrected typos and improved docstrings throughout - Removed warning when CWD does not exist on the host system - Added support to spec file for RPM building on SLES 11 Update to singularity 3.1.0 what is reimplementaion in go so this is a complete new build and just reusing the changelog entries, following build differences were made to the upstream spec file * build position independent executable * build stripped executable - Change from /var/singularity to /var/lib/singularity - Fix warning on bash-completion file about non-executible script. - Add bash completions directory to file list for suse_version < 1500 to keep the build checker happy.

Patchnames

openSUSE-2019-2288

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for singularity",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for singularity fixes the following issues:\n\nsingularity was updated to version 3.4.1:\n\nThis point release addresses the following issues:\n\n- Fixes an issue where a PID namespace was always being used\n- Fixes compilation on non 64-bit architectures\n- Allows fakeroot builds for zypper, pacstrap, and debootstrap\n- Correctly detects seccomp on OpenSUSE\n- Honors GO_MODFLAGS properly in the mconfig generated makefile\n- Passes the Mac hostname to the VM in MacOS Singularity builds\n- Handles temporary EAGAIN failures when setting up loop devices on\nrecent kernels.\n\nNew version 3.4.0. Many changes since 3.2.1, for the full changelog \n  please read CHANGELOG.md\n\nUpdate to version 3.2.1:\n\nThis point release fixes the following bugs:\n\n- Allows users to join instances with non-suid workflow\n- Removes false warning when seccomp is disabled on the host\n- Fixes an issue in the terminal when piping output to commands\n- Binds NVIDIA persistenced socket when `--nv` is invoked\n\nImprove integration with SUSE Products: add support to create Singularity\nimages with SLE.\n\n* Newer SUSE versions use a different path for the RPM database.\n* When the installation succeeds by an installation scriptlet fails\n  zypper returns error code 107. Don\u0027t treat this as an error.\n* In order to specify a repository GPG key, add support for\n  multi line variables.\n* In order to specify a list of additional repos, add support\n  to \u0027indexed\u0027 variables.\n* Improve handling of SUSE repositires:\n\n  - For SLE, use SUSEConnect to get all product repos.\n  - Allow to specify a repository GPG key.\n  - Allow to specify additional installation repositories.\n\n- Add group \u0027singularity\u0027, fix ownerships.\n\nUpdated to singularity v3.2.0\n\n* CVE-2019-11328: Instance files are now stored in user\u0027s home directory for privacy and\n  many checks have been added to ensure that a user can\u0027t manipulate files\n  to change `starter-suid` behavior when instances are joined (many thanks\n  to Matthias Gerstner from the SUSE security team for finding and securely\n  reporting this vulnerability) (boo#1128598)\n\n* New features / functionalities\n\n  - Introduced a new basic framework for creating and managing plugins\n  - Added the ability to create containers through multi-stage builds\n  - Created the concept of a Sylabs Cloud \u0027remote\u0027 endpoint and added the\n    ability for users and admins to set them through CLI and conf files \n  - Added caching for images from Singularity Hub\n  - Made it possible to compile Singularity outside of `$GOPATH`\n  - Added a json partition to SIF files for OCI configuration when building\n    from an OCI source\n  - Full integration with Singularity desktop for MacOS code base\n\n* New Commands\n\n  - Introduced the `plugin` command group for creating and managing plugins.\n\n* Introduced the `remote` command group to support management of Singularity\n  endpoints.\n* Added to the `key` command group to improve PGP key management.\n* Added the `Stage: \u003cname\u003e` keyword to the definition file header and the\n  `from \u003cstage name\u003e` option/argument pair to the `%files` section to\n  support multistage builds\n* Deprecated / removed commands\n\n  - The `--token/-t` option has been deprecated in favor of the `singularity\n    remote` command group\n\n* Changed defaults / behaviors\n\n  - Ask to confirm password on a newly generated PGP key\n  - Prompt to push a key to the KeyStore when generated\n  - Refuse to push an unsigned container unless overridden with\n    `--allow-unauthenticated/-U` option\n  - Warn and prompt when pulling an unsigned container without the\n       `--allow-unauthenticated/-U` option\nFor more information check:\n   https://github.com/sylabs/singularity/blob/release-3.2/CHANGELOG.md\n\nUpdated to singularity v3.1.1:\n\n* New Commands\n\n  - New hidden `buildcfg` command to display compile-time parameters \n  - Added support for `LDFLAGS`, `CFLAGS`, `CGO_` variables in build system\n  - Added `--nocolor` flag to Singularity client to disable color in logging\n\n* Removed Commands\n\n  - `singularity capability \u003cadd/drop\u003e --desc` has been removed\n  - `singularity capability list \u003c--all/--group/--user\u003e` flags have all\n    been removed \n\n* New features / functionalities\n  - The `--builder` flag to the `build` command implicitly sets `--remote`\n  - Repeated binds no longer cause Singularity to exit and fail, just warn\n    instead\n  - Corrected typos and improved docstrings throughout\n  - Removed warning when CWD does not exist on the host system\n  - Added support to spec file for RPM building on SLES 11\n\nUpdate to singularity 3.1.0 what is reimplementaion in go\nso this is a complete new build and just reusing the changelog\nentries, following build differences were made to the upstream\nspec file\n\n* build position independent executable\n* build stripped executable\n\n- Change from /var/singularity to /var/lib/singularity\n- Fix warning on bash-completion file about non-executible script.\n\n- Add bash completions directory to file list for suse_version \u003c 1500\n  to keep the build checker happy.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2019-2288",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_2288-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2019:2288-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IKW24LOLINECHPX4KVSOFZEYFTA7RDEL/#IKW24LOLINECHPX4KVSOFZEYFTA7RDEL"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2019:2288-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IKW24LOLINECHPX4KVSOFZEYFTA7RDEL/#IKW24LOLINECHPX4KVSOFZEYFTA7RDEL"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1125369",
        "url": "https://bugzilla.suse.com/1125369"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1128598",
        "url": "https://bugzilla.suse.com/1128598"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-11328 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-11328/"
      }
    ],
    "title": "Security update for singularity",
    "tracking": {
      "current_release_date": "2019-10-07T15:31:24Z",
      "generator": {
        "date": "2019-10-07T15:31:24Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2019:2288-1",
      "initial_release_date": "2019-10-07T15:31:24Z",
      "revision_history": [
        {
          "date": "2019-10-07T15:31:24Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.4.1-bp151.3.3.1.aarch64",
                "product": {
                  "name": "singularity-3.4.1-bp151.3.3.1.aarch64",
                  "product_id": "singularity-3.4.1-bp151.3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.4.1-bp151.3.3.1.ppc64le",
                "product": {
                  "name": "singularity-3.4.1-bp151.3.3.1.ppc64le",
                  "product_id": "singularity-3.4.1-bp151.3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.4.1-bp151.3.3.1.s390x",
                "product": {
                  "name": "singularity-3.4.1-bp151.3.3.1.s390x",
                  "product_id": "singularity-3.4.1-bp151.3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.4.1-bp151.3.3.1.x86_64",
                "product": {
                  "name": "singularity-3.4.1-bp151.3.3.1.x86_64",
                  "product_id": "singularity-3.4.1-bp151.3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15",
                "product": {
                  "name": "SUSE Package Hub 15",
                  "product_id": "SUSE Package Hub 15"
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP1",
                "product": {
                  "name": "SUSE Package Hub 15 SP1",
                  "product_id": "SUSE Package Hub 15 SP1"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.aarch64 as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.aarch64"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.ppc64le as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.ppc64le"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.s390x as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.s390x"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.x86_64 as component of SUSE Package Hub 15",
          "product_id": "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.x86_64"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.aarch64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.aarch64"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.ppc64le as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.ppc64le"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.s390x as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.s390x"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.4.1-bp151.3.3.1.x86_64 as component of SUSE Package Hub 15 SP1",
          "product_id": "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.x86_64"
        },
        "product_reference": "singularity-3.4.1-bp151.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Package Hub 15 SP1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-11328",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-11328"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.aarch64",
          "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.ppc64le",
          "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.s390x",
          "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.x86_64",
          "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.aarch64",
          "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.ppc64le",
          "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.s390x",
          "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-11328",
          "url": "https://www.suse.com/security/cve/CVE-2019-11328"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1128598 for CVE-2019-11328",
          "url": "https://bugzilla.suse.com/1128598"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.aarch64",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.s390x",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.x86_64",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.aarch64",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.ppc64le",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.s390x",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.aarch64",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.ppc64le",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.s390x",
            "SUSE Package Hub 15 SP1:singularity-3.4.1-bp151.3.3.1.x86_64",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.aarch64",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.ppc64le",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.s390x",
            "SUSE Package Hub 15:singularity-3.4.1-bp151.3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-10-07T15:31:24Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-11328"
    }
  ]
}

OPENSUSE-SU-2020:1037-1

Vulnerability from csaf_opensuse - Published: 2020-07-23 04:22 - Updated: 2020-07-23 04:22

Summary

Security update for singularity

Notes

Title of the patch

Security update for singularity

Description of the patch

This update for singularity fixes the following issues: - New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems: - CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user. - CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified. - CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior. - New features / functionalities - A new '--legacy-insecure' flag to verify allows verification of SIF signatures in the old, insecure format. - A new '-l / --logs' flag for instance list that shows the paths to instance STDERR / STDOUT log files. - The --json output of instance list now include paths to STDERR / STDOUT log files. - Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g. docker://hello-world. - A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean. - A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6. - The --bind flag can now bind directories from a SIF or ext3 image into a container. - The --fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag). - This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime. - A new -c/--config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation. - A new --env flag allows container environment variables to be set via the Singularity command line. - A new --env-file flag allows container environment variables to be set from a specified file. - A new --days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name. - Changed defaults / behaviours - New signature format (see security fixes above). - Fixed spacing of singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names. - Environment variables prefixed with SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix. - The %post build section inherits environment variables from the base image. - %files from ... will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour. - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container. - The %test build section is executed the same manner as singularity test image. --fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior. - Deprecate -a / --all option to sign/verify as new signature behavior makes this the default. - For more information about upstream changes, please check: https://github.com/hpcng/singularity/blob/master/CHANGELOG.md - Removed --name flag for cache clean; replaced with --days.

Patchnames

openSUSE-2020-1037

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for singularity",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for singularity fixes the following issues:\n\n- New version 3.6.0. This version introduces a new signature format \nfor SIF images, and changes to the signing / verification code to address\nthe following security problems:\n  - CVE-2020-13845, boo#1174150\n  In Singularity 3.x versions below 3.6.0, issues allow the ECL to \n  be bypassed by a malicious user.\n  - CVE-2020-13846, boo#1174148\n  In Singularity 3.5 the --all / -a option to singularity verify \n  returns success even when some objects in a SIF container are not signed, \n  or cannot be verified.\n  - CVE-2020-13847, boo#1174152\n  In Singularity 3.x versions below 3.6.0, Singularity\u0027s sign and verify \n  commands do not sign metadata found in the global header or data object \n  descriptors of a SIF file, allowing an attacker to cause unexpected \n  behavior. A signed container may verify successfully, even when it has \n  been modified in ways that could be exploited to cause malicious behavior.\n\n- New features / functionalities\n  - A new \u0027--legacy-insecure\u0027 flag to verify allows verification of SIF\n  signatures in the old, insecure format.\n  - A new \u0027-l / --logs\u0027 flag for instance list that shows the paths \n  to instance STDERR / STDOUT log files.\n  - The --json output of instance list now include paths to \n  STDERR / STDOUT log files.\n  - Singularity now supports the execution of minimal Docker/OCI\n  containers that do not contain /bin/sh, e.g. docker://hello-world.\n  - A new cache structure is used that is concurrency safe on a filesystem that\n  supports atomic rename. If you downgrade to Singularity 3.5 or older after\n  using 3.6 you will need to run singularity cache clean.\n  - A plugin system rework adds new hook points that will allow the\n  development of plugins that modify behavior of the runtime. An image driver\n  concept is introduced for plugins to support new ways of handling image and\n  overlay mounts. Plugins built for \u003c=3.5 are not compatible with 3.6.\n  - The --bind flag can now bind directories from a SIF or ext3 image into a\n  container.\n  - The --fusemount feature to mount filesystems to a container via FUSE\n  drivers is now a supported feature (previously an experimental hidden flag).\n  - This permits users to mount e.g. sshfs and cvmfs filesystems to the\n  container at runtime.\n  - A new -c/--config flag allows an alternative singularity.conf to be\n  specified by the root user, or all users in an unprivileged installation.\n  - A new --env flag allows container environment variables to be set via the\n  Singularity command line.\n  - A new --env-file flag allows container environment variables to be set from\n  a specified file.\n  - A new --days flag for cache clean allows removal of items older than a\n  specified number of days. Replaces the --name flag which is not generally\n  useful as the cache entries are stored by hash, not a friendly name.\n\n- Changed defaults / behaviours\n - New signature format (see security fixes above).\n - Fixed spacing of singularity instance list to be dynamically changing \n based off of input lengths instead of fixed number of spaces to account\n for long instance names.\n - Environment variables prefixed with SINGULARITYENV_ always take\n precedence over variables without SINGULARITYENV_ prefix.\n - The %post build section inherits environment variables from the base image.\n - %files from ... will now follow symlinks for sources that are directly\n specified, or directly resolved from a glob pattern. It will not follow\n symlinks found through directory traversal. This mirrors Docker multi-stage\n COPY behaviour.\n - Restored the CWD mount behaviour of v2, implying that CWD path is not recreated\n inside container and any symlinks in the CWD path are not resolved anymore to\n determine the destination path inside container.\n - The %test build section is executed the same manner as singularity test image.\n --fusemount with the container: default directive will foreground the FUSE\n process. Use container-daemon: for previous behavior.\n\n- Deprecate -a / --all option to sign/verify as new signature behavior \n  makes this the default.\n- For more information about upstream changes, please check:\n  https://github.com/hpcng/singularity/blob/master/CHANGELOG.md\n- Removed --name flag for cache clean; replaced with --days.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2020-1037",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2020_1037-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2020:1037-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2020:1037-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EIHKRY3G2SS6X2ZY44CW67IIGHCJUYMO/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1125369",
        "url": "https://bugzilla.suse.com/1125369"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1128598",
        "url": "https://bugzilla.suse.com/1128598"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1159550",
        "url": "https://bugzilla.suse.com/1159550"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1174148",
        "url": "https://bugzilla.suse.com/1174148"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1174150",
        "url": "https://bugzilla.suse.com/1174150"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1174152",
        "url": "https://bugzilla.suse.com/1174152"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-11328 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-11328/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-19724 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-19724/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13845 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13845/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13846 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13846/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-13847 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-13847/"
      }
    ],
    "title": "Security update for singularity",
    "tracking": {
      "current_release_date": "2020-07-23T04:22:25Z",
      "generator": {
        "date": "2020-07-23T04:22:25Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2020:1037-1",
      "initial_release_date": "2020-07-23T04:22:25Z",
      "revision_history": [
        {
          "date": "2020-07-23T04:22:25Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "singularity-3.6.0-lp151.2.6.1.x86_64",
                "product": {
                  "name": "singularity-3.6.0-lp151.2.6.1.x86_64",
                  "product_id": "singularity-3.6.0-lp151.2.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.1",
                "product": {
                  "name": "openSUSE Leap 15.1",
                  "product_id": "openSUSE Leap 15.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "singularity-3.6.0-lp151.2.6.1.x86_64 as component of openSUSE Leap 15.1",
          "product_id": "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        },
        "product_reference": "singularity-3.6.0-lp151.2.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-11328",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-11328"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-11328",
          "url": "https://www.suse.com/security/cve/CVE-2019-11328"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1128598 for CVE-2019-11328",
          "url": "https://bugzilla.suse.com/1128598"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-07-23T04:22:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-11328"
    },
    {
      "cve": "CVE-2019-19724",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-19724"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-19724",
          "url": "https://www.suse.com/security/cve/CVE-2019-19724"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1159550 for CVE-2019-19724",
          "url": "https://bugzilla.suse.com/1159550"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-07-23T04:22:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-19724"
    },
    {
      "cve": "CVE-2020-13845",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13845"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13845",
          "url": "https://www.suse.com/security/cve/CVE-2020-13845"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174150 for CVE-2020-13845",
          "url": "https://bugzilla.suse.com/1174150"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-07-23T04:22:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13845"
    },
    {
      "cve": "CVE-2020-13846",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13846"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13846",
          "url": "https://www.suse.com/security/cve/CVE-2020-13846"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174148 for CVE-2020-13846",
          "url": "https://bugzilla.suse.com/1174148"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-07-23T04:22:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13846"
    },
    {
      "cve": "CVE-2020-13847",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-13847"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity\u0027s sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-13847",
          "url": "https://www.suse.com/security/cve/CVE-2020-13847"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1174152 for CVE-2020-13847",
          "url": "https://bugzilla.suse.com/1174152"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 15.1:singularity-3.6.0-lp151.2.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2020-07-23T04:22:25Z",
          "details": "important"
        }
      ],
      "title": "CVE-2020-13847"
    }
  ]
}

GSD-2019-11328

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-11328

Aliases

CVE-2019-11328

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-11328",
    "description": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
    "id": "GSD-2019-11328",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-11328.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-11328"
      ],
      "details": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
      "id": "GSD-2019-11328",
      "modified": "2023-12-13T01:24:01.929890Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2019-11328",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sylabs/singularity/releases/tag/v3.2.0",
            "refsource": "CONFIRM",
            "url": "https://github.com/sylabs/singularity/releases/tag/v3.2.0"
          },
          {
            "name": "[oss-security] 20190516 Singularity 3.1.0: CVE-2019-11328: namespace privilege escalation and arbitrary file corruption",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/05/16/1"
          },
          {
            "name": "108360",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108360"
          },
          {
            "name": "FEDORA-2019-da2ed3b0b5",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/"
          },
          {
            "name": "FEDORA-2019-9f48c6fedc",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/"
          },
          {
            "name": "FEDORA-2019-25ecc42592",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/"
          },
          {
            "name": "openSUSE-SU-2019:2288",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html"
          },
          {
            "name": "openSUSE-SU-2020:1037",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "_git_import_path": "go/github.com/sylabs/singularity/internal/pkg/runtime/engines/singularity",
          "affected_range": "\u003e=3.1.0 \u003c3.2.0",
          "affected_versions": "All versions starting from 3.1.0 before 3.2.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-732",
            "CWE-937"
          ],
          "date": "2019-05-25",
          "description": "An issue was discovered in Singularity, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
          "fixed_versions": [
            "3.2.0"
          ],
          "identifier": "CVE-2019-11328",
          "identifiers": [
            "CVE-2019-11328"
          ],
          "not_impacted": "All versions starting from 3.2.0",
          "package_slug": "go/github.com/sylabs/singularity",
          "pubdate": "2019-05-14",
          "solution": "Upgrade to version 3.2.0 or above.",
          "title": "Improper Access Control",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-11328"
          ],
          "uuid": "6eff5f36-38b1-445b-8775-5bf360e17ef9"
        },
        {
          "affected_range": "\u003e=3.1.0 \u003c3.2.0",
          "affected_versions": "All versions starting from 3.1.0 before 3.2.0",
          "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-732",
            "CWE-937"
          ],
          "date": "2021-12-20",
          "description": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
          "fixed_versions": [
            "3.2.0"
          ],
          "identifier": "CVE-2019-11328",
          "identifiers": [
            "GHSA-557g-r22w-9wvx",
            "CVE-2019-11328"
          ],
          "not_impacted": "All versions before 3.1.0, all versions starting from 3.2.0",
          "package_slug": "go/github.com/sylabs/singularity/internal/pkg/runtime/engines/singularity",
          "pubdate": "2021-12-20",
          "solution": "Upgrade to version 3.2.0 or above.",
          "title": "Incorrect Permission Assignment for Critical Resource",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-11328",
            "https://github.com/sylabs/singularity/commit/618c9d56802399adb329c23ea2b70598eaff4a31",
            "https://github.com/sylabs/singularity/releases/tag/v3.2.0",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/",
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html",
            "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html",
            "http://www.openwall.com/lists/oss-security/2019/05/16/1",
            "http://www.securityfocus.com/bid/108360",
            "https://github.com/advisories/GHSA-557g-r22w-9wvx"
          ],
          "uuid": "852f3519-bc29-4a81-b4e0-40964df5850e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sylabs:singularity:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.2.0",
                "versionStartIncluding": "3.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylabs:singularity:3.2.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylabs:singularity:3.2.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylabs:singularity:3.2.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:backports:sle-15:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:backports:sle-15:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-11328"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-732"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sylabs/singularity/releases/tag/v3.2.0",
              "refsource": "CONFIRM",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/sylabs/singularity/releases/tag/v3.2.0"
            },
            {
              "name": "[oss-security] 20190516 Singularity 3.1.0: CVE-2019-11328: namespace privilege escalation and arbitrary file corruption",
              "refsource": "MLIST",
              "tags": [
                "Exploit",
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/05/16/1"
            },
            {
              "name": "108360",
              "refsource": "BID",
              "tags": [
                "Broken Link"
              ],
              "url": "http://www.securityfocus.com/bid/108360"
            },
            {
              "name": "FEDORA-2019-9f48c6fedc",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/"
            },
            {
              "name": "FEDORA-2019-da2ed3b0b5",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/"
            },
            {
              "name": "FEDORA-2019-25ecc42592",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/"
            },
            {
              "name": "openSUSE-SU-2019:2288",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html"
            },
            {
              "name": "openSUSE-SU-2020:1037",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-02-28T15:15Z",
      "publishedDate": "2019-05-14T21:29Z"
    }
  }
}

GHSA-557G-R22W-9WVX

Vulnerability from github – Published: 2021-12-20 18:25 – Updated: 2023-02-28 16:47

Summary

Incorrect Permission Assignment for Critical Resource in Singularity

Details

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Severity ?

8.8 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-11328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-732"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-17T15:50:05Z",
    "nvd_published_at": "2019-05-14T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.",
  "id": "GHSA-557g-r22w-9wvx",
  "modified": "2023-02-28T16:47:09Z",
  "published": "2021-12-20T18:25:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/618c9d56802399adb329c23ea2b70598eaff4a31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/releases/tag/v3.2.0"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/05/16/1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108360"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Permission Assignment for Critical Resource in Singularity"
}

FKIE_CVE-2019-11328

Vulnerability from fkie_nvd - Published: 2019-05-14 21:29 - Updated: 2024-11-21 04:20

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html	Third Party Advisory
cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html	Third Party Advisory
cve@mitre.org	http://www.openwall.com/lists/oss-security/2019/05/16/1	Exploit, Mailing List, Third Party Advisory
cve@mitre.org	http://www.securityfocus.com/bid/108360	Broken Link
cve@mitre.org	https://github.com/sylabs/singularity/releases/tag/v3.2.0	Release Notes
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/
cve@mitre.org	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2019/05/16/1	Exploit, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108360	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/sylabs/singularity/releases/tag/v3.2.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/

Impacted products

Vendor	Product	Version
sylabs	singularity	*
sylabs	singularity	3.2.0
sylabs	singularity	3.2.0
sylabs	singularity	3.2.0
fedoraproject	fedora	28
fedoraproject	fedora	29
fedoraproject	fedora	30
opensuse	backports	sle-15
opensuse	backports	sle-15
opensuse	leap	15.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylabs:singularity:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A03C5294-152B-4B8C-A3C9-C12F336E3CF8",
              "versionEndExcluding": "3.2.0",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylabs:singularity:3.2.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "DCF1D191-8AE3-45AB-A8B8-5FE0495AFDF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylabs:singularity:3.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CD87FF8D-26D4-42AE-9D6B-BC49773D6A4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylabs:singularity:3.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9893E982-1FA4-474C-9FC0-5B08BEA1937D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC1BD7B7-6D88-42B8-878E-F1318CA5FCAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*",
              "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:backports:sle-15:-:*:*:*:*:*:*",
              "matchCriteriaId": "398716BC-E609-4338-BAB9-7CB2A78599BC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:backports:sle-15:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "C84D9410-31B7-421A-AD99-8ED2E45A9BC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/\u003cuser\u003e/\u003cinstance\u003e`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 un problema en Singularity versi\u00f3n 3.1.0 hasta la 3.2.0-rc2, un usuario malicioso con acceso local de red hacia el sistema host (por ejemplo, ssh) podr\u00eda atacar esta vulnerabilidad debido a permisos no seguros que permiten a un usuario editar archivos dentro de `/run/singularity/instances/sing//`. La manipulaci\u00f3n de esos archivos puede cambiar el comportamiento del programa starter-suid cuando las peticiones se unen, lo que conlleva a una posible escalada de privilegios en el host."
    }
  ],
  "id": "CVE-2019-11328",
  "lastModified": "2024-11-21T04:20:53.913",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-05-14T21:29:01.137",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/05/16/1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/108360"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/sylabs/singularity/releases/tag/v3.2.0"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/05/16/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://www.securityfocus.com/bid/108360"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/sylabs/singularity/releases/tag/v3.2.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5O3TPL5OOTIZEI4H6IQBCCISBARJ6WL3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIHV7DSEVTB5SUPEZ2UXGS3Q6WMEQSO2/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNU5BUHFOTYUZVHFUSX2VG4S3RCPUEMA/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-11328 (GCVE-0-2019-11328)

OPENSUSE-SU-2024:11384-1

OPENSUSE-SU-2019:2288-1

OPENSUSE-SU-2020:1037-1

GSD-2019-11328

GHSA-557G-R22W-9WVX

FKIE_CVE-2019-11328

Tags

Sightings

Nomenclature