Bug 2161899

Summary:	apptainer: vulnerable to CVE-2022-23538
Product:	[Fedora] Fedora EPEL	Reporter:	David Trudgian <dtrudg>
Component:	apptainer	Assignee:	Dave Dykstra <dwd>
Status:	CLOSED ERRATA	QA Contact:
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	epel8	CC:	dwd, go-sig
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	apptainer-1.1.6-1.el9 apptainer-1.1.6-1.el8 apptainer-1.1.6-1.fc37 apptainer-1.1.6-1.el7 apptainer-1.1.6-1.fc36	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-02-22 09:25:01 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Trudgian 2023-01-18 08:35:58 UTC

Description of problem:

apptainer uses github.com/apptainer/container-library-client as a bundled Go dependency.

This dependency is a fork of github.com/sylabs/scs-library-client and is vulnerable to CVE-2022-23538 that has been disclosed by the authors of github.com/sylabs/scs-library-client and fixed upstream there.

Ref: https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7

A bz issue (2161860) has been raised for singularity-ce regarding the CVE in github.com/sylabs/scs-library-client. However one is not raised for apptainer, likely because the dependency is forked. In addition, apptainer does not declare its bundled Go dependencies with provides.

Version-Release number of selected component (if applicable): 1.1.4-2 (current epel stable) 1.1.5-1 (in epel testing).


How reproducible: Always


Steps to Reproduce:
1. Examine CVE information at https://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7
2. Confirm existence of issue in apptainer dependency github.com/apptainer/container-library-client which is a fork of the project reporting the CVE.

Comment 1 Dave Dykstra 2023-01-18 22:57:11 UTC

Thanks, DT.  It will be in the next release.

Comment 2 Fedora Update System 2023-02-14 23:13:00 UTC

FEDORA-EPEL-2023-1eae057392 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1eae057392

Comment 3 Fedora Update System 2023-02-14 23:13:03 UTC

FEDORA-2023-677d58bb20 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-677d58bb20

Comment 4 Fedora Update System 2023-02-14 23:13:06 UTC

FEDORA-EPEL-2023-5f32ecbc71 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-5f32ecbc71

Comment 5 Fedora Update System 2023-02-14 23:13:08 UTC

FEDORA-EPEL-2023-b020c7de04 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b020c7de04

Comment 6 Fedora Update System 2023-02-14 23:13:11 UTC

FEDORA-2023-01ff262091 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-01ff262091

Comment 7 Fedora Update System 2023-02-15 01:35:08 UTC

FEDORA-2023-01ff262091 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-01ff262091`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-01ff262091

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-02-15 01:37:26 UTC

FEDORA-EPEL-2023-5f32ecbc71 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-5f32ecbc71

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-02-15 01:48:16 UTC

FEDORA-EPEL-2023-1eae057392 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1eae057392

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-02-15 01:49:51 UTC

FEDORA-EPEL-2023-b020c7de04 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b020c7de04

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-02-15 02:27:04 UTC

FEDORA-2023-677d58bb20 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-677d58bb20`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-677d58bb20

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2023-02-22 09:25:01 UTC

FEDORA-EPEL-2023-5f32ecbc71 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2023-02-22 10:02:25 UTC

FEDORA-EPEL-2023-b020c7de04 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Fedora Update System 2023-02-22 10:11:34 UTC

FEDORA-2023-01ff262091 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2023-02-22 10:39:41 UTC

FEDORA-EPEL-2023-1eae057392 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2023-02-22 11:07:38 UTC

FEDORA-2023-677d58bb20 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.