Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp2OWMtdzc0cS02NzYy
Insecure permissions on build temporary rootfs in Singularity
Impact
Insecure permissions on temporary directories used in explicit and implicit container build operations.
When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.
Patches
This issue is addressed in Singularity 3.6.3.
All users are advised to upgrade to 3.6.3.
Workarounds
The issue is mitigated if TMPDIR is set to a location that is only accessible to the user, as any subdirectories directly under TMPDIR cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.
For more information
General questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:
Any sensitive security concerns should be directed to: [email protected]
See our Security Policy here: https://sylabs.io/security-policy
Permalink: https://github.com/advisories/GHSA-jv9c-w74q-6762JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWp2OWMtdzc0cS02NzYy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-jv9c-w74q-6762, CVE-2020-25040
References:
- https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762
- https://nvd.nist.gov/vuln/detail/CVE-2020-25040
- https://medium.com/sylabs
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html
- https://github.com/advisories/GHSA-jv9c-w74q-6762
Blast Radius: 7.9
Affected Packages
go:github.com/sylabs/singularity
Dependent packages: 3Dependent repositories: 8
Downloads:
Affected Version Ranges: < 3.6.3
Fixed in: 3.6.3
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1
All unaffected versions: