[PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 13 Dec 2018 21:48
(address . guix-patches@gnu.org)
b3ac8bd5d34c01dd2eb6897015fc931c6fc15770.1544734119.git.leo@famulari.name
Our Singularity package is not vulnerable to CVE-2018-19295 by default,becuase that vulnerability is based on the 'mount', 'start', and'action' Singularity binaries being installed setuid, which we do not doin Guix.
* gnu/packages/linux.scm (singularity): Update to 2.6.1.--- gnu/packages/linux.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
Toggle diff (24 lines)diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scmindex 1cdf2bf47..de6439449 100644--- a/gnu/packages/linux.scm+++ b/gnu/packages/linux.scm@@ -2612,7 +2612,7 @@ thanks to the use of namespaces.") (define-public singularity (package (name "singularity")- (version "2.5.1")+ (version "2.6.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/singularityware/singularity/"@@ -2620,7 +2620,7 @@ thanks to the use of namespaces.") "/singularity-" version ".tar.gz")) (sha256 (base32- "0f28dgf2qcy8ljjfix7p9q36q12j7rxyicfzzi4n0fl8zr8ab88g"))))+ "1whx0hqqi1326scgdxxxa1d94vn95mnq0drid6s8wdp84ni4d3gk")))) (build-system gnu-build-system) (arguments `(#:configure-flags-- 2.20.0
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
(name . Leo Famulari)(address . leo@famulari.name)(address . 33730@debbugs.gnu.org)
87wood82g6.fsf@gnu.org
Hi Leo,
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (7 lines)> Our Singularity package is not vulnerable to CVE-2018-19295 by default,> becuase that vulnerability is based on the 'mount', 'start', and> 'action' Singularity binaries being installed setuid, which we do not do> in Guix.>> * gnu/packages/linux.scm (singularity): Update to 2.6.1.
LGTM. Thanks for the patch and for the analysis!
Ludo’.
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
control message for bug #33730
(address . control@debbugs.gnu.org)
87va3x82g0.fsf@gnu.org
tags 33730 security
L
L
Leo Famulari wrote on 15 Dec 2018 20:37
Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 33730@debbugs.gnu.org)
20181215193751.GA9685@jasmine.lan
On Thu, Dec 13, 2018 at 11:52:09PM +0100, Ludovic Courtès wrote:
Toggle quote (2 lines)> LGTM. Thanks for the patch and for the analysis!
Thanks! Pushed as edc6dd03240b8fe0a1530ce0e80637641903095e
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwVWA8ACgkQJkb6MLrKfwgq+Q/+Kn2b3F2FwgRLj3DOgjkudn348igXIH48dCfCB5Wh2AN8Tqgszj5UCs9Up+mCcMU8Up7/gi8rTV5EZLz5FzhCf9RjpFCAWe/kcm73hxNSEhnGCiOq2mzm123MCWNbOw7xkseAvj6YgYQwGO2P/toKsrLSo64/vPruJSmxdHk30PZVkVZbuVL5INRJ7DKiJTzsO8hK/l4JhK82sbk26U2V0YxXgjeolSOO/g+Gd+N/2ZOsBE1nEAVPkQMIySoNnWvGfjyIbKwFQLILPUEfPaLJpV/PFVahtQmr/7LVp4d01EDA6J5/tQLgutY6r8EzUUC4I64xNWd2O/dDdF0QODwj61ehfUbfrtRaXZUrIcIkE+dclrUJ4Npeekn07LgaEOwRURDPUj+x4RWrNmO4aZhhj68bbNy9JGdtQ+/JkhLHlB44gLF2klD0SwN10ayuCdxcIQdNfRFGWBmsFxh/bjwnU/fJ3qQSsyZcLTptrnjJ4ZP2A0cFdmue4iaICs1UMCaEo8X0FOerNA8fEbzjaOBtgIzHhukXnyHam3mkMnnt2sVv/0RJiRcK3bKfLgkuS0MFndv88zJjd+ratWoGqzJo8NvTid9j4/5Avw60YCh8wLrHz2kylsz1ahfbVJum72Tnu17a+Tm4axLwgWk1dMTDDnWdVONVJdYggFluwtF53EY==0r7n-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 15 Dec 2018 20:45
(no subject)
(address . control@debbugs.gnu.org)
20181215194514.GA10377@jasmine.lan
close 33730
?
Your comment

This issue is archived.

To comment on this conversation send email to 33730@debbugs.gnu.org