An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc2djItcWNobS1ncmo3
Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity
Insecure permissions on temporary directories used in fakeroot or user namespace container execution.
When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.
This issue is addressed in Singularity 3.6.3.
All users are advised to upgrade to 3.6.3.
The issue is mitigated if
TMPDIR is set to a location that is only accessible to the user, as any subdirectories directly under
TMPDIR cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.
For more information
General questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:
Any sensitive security concerns should be directed to: [email protected]
See our Security Policy here: https://sylabs.io/security-policyPermalink: https://github.com/advisories/GHSA-w6v2-qchm-grj7
Source: GitHub Advisory Database
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-w6v2-qchm-grj7, CVE-2020-25039
Fixed in: 3.6.3