Bug 1585618

Summary: singularity: Multiple security vulnerabilities fixed in 2.5.0
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbockelm, dave.love, dwd
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: singularity 2.5.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-12 19:56:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1457856, 1585619, 1585620    
Bug Blocks:    

Description Andrej Nemec 2018-06-04 08:33:35 UTC 
This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It's a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below).

Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity.

Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels.

References:

https://github.com/singularityware/singularity/releases
Comment 1 Andrej Nemec 2018-06-04 08:33:57 UTC 
Created singularity tracking bugs for this issue:

Affects: epel-all [bug 1585620]
Affects: fedora-all [bug 1585619]
Comment 2 Dave Dykstra 2018-06-04 12:05:49 UTC 
Andrej,

A fix is pending but we're waiting on bbockelm to get admin privileges on the package so he can accept my pull request as detailed in bug #1457856.  Can you help with that?

Dave
Comment 3 Andrej Nemec 2018-06-04 13:34:03 UTC 
(In reply to Dave Dykstra from comment #2)
> Andrej,
> 
> A fix is pending but we're waiting on bbockelm to get admin privileges on
> the package so he can accept my pull request as detailed in bug #1457856. 
> Can you help with that?
> 
> Dave

Hi Dave,

I tried looking at the problem, but I seem to lack any kind of privileges to resolve it. Mailing the original maintainer looks to be the most straightforward way here.
Comment 4 Dave Love 2018-06-05 10:39:34 UTC 
I didn't know that the attempt to give bbockelm admin rights that I posted about hadn't worked.  As far as I can tell, the second attempt has worked.  Please confirm.
Comment 5 Dave Dykstra 2018-06-05 18:39:15 UTC 
Yes, thank you!  Brian was able to merge the PR and we are proceeding, tracked in bug #1457856.  Andrej, please set this ticket to depend on that one, I can't do it.
Comment 6 Brian Bockelman 2018-06-06 20:36:54 UTC 
Given there are some minor breaks in the CLI for building images (and there's a pretty significant version jump), I've filed a ticket with FESCo (https://pagure.io/fesco/issue/1904; since it's security-related I marked it as private) for permission to rebase to 2.5.1 across the different versions.

I have builds across all active branches for 2.5.1.  I will push to Bodhi for EL6 / EPEL7 / FC28 / FC29 to allow some folks to test the update (and disable auto-push until FESCo responds).
Comment 7 Brian Bockelman 2018-06-12 14:49:12 UTC 
FESCo approved the the rebase.

We have sufficient karma on EPEL7 so I will push that forward.

I will badger a few other folks on mailing lists to get at least some positive karma on the remaining platforms.