Bug 2318169

Summary: [Major Incident] CVE-2024-21626 singularity-ce: file descriptor leak [epel-9]
Product: [Fedora] Fedora EPEL Reporter: subhro
Component: singularity-ceAssignee: David Trudgian <dtrudg>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: epel9CC: dtrudg, dwd, go-sig
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["acf04707-a872-4c84-9e53-4f9acf767e2f"]}
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-10-14 10:42:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2258725    

Description subhro 2024-10-11 19:39:28 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2258725

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 David Trudgian 2024-10-14 10:42:49 UTC 
The file descriptor leak is in the runc binary, not the library usage of the go runc module in SingularityCE.

While SingularityCE can call out to runc (if crun is not available), it does not provide the binary so we can't fix this here.