Hi Afif, On Wed, May 15, 2019 at 08:54:03PM +0000, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:singularity-container package: > > #929042: singularity-container: CVE-2019-11328 > > It has been closed by Afif Elghraoui <a...@debian.org>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Afif Elghraoui > <a...@debian.org> by > replying to this email. > > > -- > 929042: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929042 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems
> Date: Wed, 15 May 2019 16:51:24 -0400 > From: Afif Elghraoui <a...@debian.org> > To: 929042-d...@bugs.debian.org > Subject: Re: Bug#929042: singularity-container: CVE-2019-11328 > User-Agent: K-9 Mail for Android > Message-ID: <485aede8-7653-49da-97ec-be9fd454b...@debian.org> > > Control: notfound -1 3.1.1+ds-1 > > Hi, > > On May 15, 2019 4:29:54 PM EDT, Salvatore Bonaccorso <car...@debian.org> > wrote: > >Source: singularity-container > >Version: 3.1.1+ds-1 > >Severity: grave > >Tags: security upstream > > > >Hi, > > > >The following vulnerability was published for singularity-container. > > > >CVE-2019-11328[0]: > >| An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a > >malicious > >| user with local/network access to the host system (e.g. ssh) could > >| exploit this vulnerability due to insecure permissions allowing a > >user > >| to edit files within > >| `/run/singularity/instances/sing/<user>/<instance>`. The > >| manipulation of those files can change the behavior of the starter- > >| suid program when instances are joined resulting in potential > >| privilege escalation on the host. > > > > The version I uploaded yesterday includes the patches for this CVE. Thanks saw that, and fixed the security-tracker information. > >Could you furthermore check, is this only introduced in the 3.1.0 > >series really or just are those the versions checked for the issue, > >but earlier versions might be affected as well? > > > > I filed an unblock request to hopefully replace 3.0.3 in Testing. 2.6.1 > doesn't have the affected code (it predates the Go implementation). Thanks that was important bit to know. Then there is nothing further to be done. Regards, Salvatore
