Bug 2189896 (CVE-2023-30549) - CVE-2023-30549 apptainer: use after free flaw when mounting ext4
Summary: CVE-2023-30549 apptainer: use after free flaw when mounting ext4
Alias: CVE-2023-30549
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2189640 2189897 2189898
Blocks: 2189891
TreeView+ depends on / blocked
Reported: 2023-04-26 10:38 UTC by Vipul Nair
Modified: 2023-05-26 18:53 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2023-04-26 16:09:52 UTC

Attachments (Terms of Use)

Description Vipul Nair 2023-04-26 10:38:23 UTC
There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0, installations that include apptainer-suid < 1.1.8, and all versions of Singularity in their default configurations on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial of service and potentially for privilege escalation.

Apptainer 1.1.8 includes a patch that by default disables mounting of extfs filesystem types in setuid-root mode, while continuing to allow mounting of extfs filesystems in non-setuid "rootless" mode using fuse2fs.


Comment 1 Vipul Nair 2023-04-26 10:40:04 UTC
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2189898]
Affects: fedora-all [bug 2189897]

Comment 2 Product Security DevOps Team 2023-04-26 16:09:50 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.