openSUSE Security Update : singularity (openSUSE-2020-1037)

high Nessus Plugin ID 138979

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for singularity fixes the following issues :

- New version 3.6.0. This version introduces a new signature format for SIF images, and changes to the signing / verification code to address the following security problems :

- CVE-2020-13845, boo#1174150 In Singularity 3.x versions below 3.6.0, issues allow the ECL to be bypassed by a malicious user.

- CVE-2020-13846, boo#1174148 In Singularity 3.5 the --all / -a option to singularity verify returns success even when some objects in a SIF container are not signed, or cannot be verified.

- CVE-2020-13847, boo#1174152 In Singularity 3.x versions below 3.6.0, Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file, allowing an attacker to cause unexpected behavior. A signed container may verify successfully, even when it has been modified in ways that could be exploited to cause malicious behavior.

- New features / functionalities

- A new '--legacy-insecure' flag to verify allows verification of SIF signatures in the old, insecure format.

- A new '-l / --logs' flag for instance list that shows the paths to instance STDERR / STDOUT log files.

- The --json output of instance list now include paths to STDERR / STDOUT log files.

- Singularity now supports the execution of minimal Docker/OCI containers that do not contain /bin/sh, e.g.
docker://hello-world.

- A new cache structure is used that is concurrency safe on a filesystem that supports atomic rename. If you downgrade to Singularity 3.5 or older after using 3.6 you will need to run singularity cache clean.

- A plugin system rework adds new hook points that will allow the development of plugins that modify behavior of the runtime. An image driver concept is introduced for plugins to support new ways of handling image and overlay mounts. Plugins built for <=3.5 are not compatible with 3.6.

- The --bind flag can now bind directories from a SIF or ext3 image into a container.

- The --fusemount feature to mount filesystems to a container via FUSE drivers is now a supported feature (previously an experimental hidden flag).

- This permits users to mount e.g. sshfs and cvmfs filesystems to the container at runtime.

- A new -c/--config flag allows an alternative singularity.conf to be specified by the root user, or all users in an unprivileged installation.

- A new --env flag allows container environment variables to be set via the Singularity command line.

- A new --env-file flag allows container environment variables to be set from a specified file.

- A new --days flag for cache clean allows removal of items older than a specified number of days. Replaces the --name flag which is not generally useful as the cache entries are stored by hash, not a friendly name.

- Changed defaults / behaviours

- New signature format (see security fixes above).

- Fixed spacing of singularity instance list to be dynamically changing based off of input lengths instead of fixed number of spaces to account for long instance names.

- Environment variables prefixed with SINGULARITYENV_ always take precedence over variables without SINGULARITYENV_ prefix.

- The %post build section inherits environment variables from the base image.

- %files from ... will now follow symlinks for sources that are directly specified, or directly resolved from a glob pattern. It will not follow symlinks found through directory traversal. This mirrors Docker multi-stage COPY behaviour.

- Restored the CWD mount behaviour of v2, implying that CWD path is not recreated inside container and any symlinks in the CWD path are not resolved anymore to determine the destination path inside container.

- The %test build section is executed the same manner as singularity test image.

--fusemount with the container: default directive will foreground the FUSE process. Use container-daemon: for previous behavior.

- Deprecate -a / --all option to sign/verify as new signature behavior makes this the default.

- For more information about upstream changes, please check:
https://github.com/hpcng/singularity/blob/master/CHANGEL OG.md

- Removed --name flag for cache clean; replaced with
--days.

Solution

Update the affected singularity packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1125369

https://bugzilla.opensuse.org/show_bug.cgi?id=1128598

https://bugzilla.opensuse.org/show_bug.cgi?id=1159550

https://bugzilla.opensuse.org/show_bug.cgi?id=1174148

https://bugzilla.opensuse.org/show_bug.cgi?id=1174150

https://bugzilla.opensuse.org/show_bug.cgi?id=1174152

https://github.com/hpcng/singularity/blob/master/CHANGELOG.md

Plugin Details

Severity: High

ID: 138979

File Name: openSUSE-2020-1037.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/27/2020

Updated: 2/28/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2019-11328

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:singularity, cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:singularity-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/23/2020

Vulnerability Publication Date: 5/14/2019

Reference Information

CVE: CVE-2019-11328, CVE-2019-19724, CVE-2020-13845, CVE-2020-13846, CVE-2020-13847