[PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 13 Dec 2018 21:48
(address . guix-patches@gnu.org)
b3ac8bd5d34c01dd2eb6897015fc931c6fc15770.1544734119.git.leo@famulari.name
Our Singularity package is not vulnerable to CVE-2018-19295 by default,
becuase that vulnerability is based on the 'mount', 'start', and
'action' Singularity binaries being installed setuid, which we do not do
in Guix.

* gnu/packages/linux.scm (singularity): Update to 2.6.1.
---
gnu/packages/linux.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1cdf2bf47..de6439449 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -2612,7 +2612,7 @@ thanks to the use of namespaces.")
(define-public singularity
(package
(name "singularity")
- (version "2.5.1")
+ (version "2.6.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/singularityware/singularity/"
@@ -2620,7 +2620,7 @@ thanks to the use of namespaces.")
"/singularity-" version ".tar.gz"))
(sha256
(base32
- "0f28dgf2qcy8ljjfix7p9q36q12j7rxyicfzzi4n0fl8zr8ab88g"))))
+ "1whx0hqqi1326scgdxxxa1d94vn95mnq0drid6s8wdp84ni4d3gk"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.20.0
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
(name . Leo Famulari)(address . leo@famulari.name)(address . 33730@debbugs.gnu.org)
87wood82g6.fsf@gnu.org
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (7 lines)
> Our Singularity package is not vulnerable to CVE-2018-19295 by default,
> becuase that vulnerability is based on the 'mount', 'start', and
> 'action' Singularity binaries being installed setuid, which we do not do
> in Guix.
>
> * gnu/packages/linux.scm (singularity): Update to 2.6.1.

LGTM. Thanks for the patch and for the analysis!

Ludo’.
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
control message for bug #33730
(address . control@debbugs.gnu.org)
87va3x82g0.fsf@gnu.org
tags 33730 security
L
L
Leo Famulari wrote on 15 Dec 2018 20:37
Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 33730@debbugs.gnu.org)
20181215193751.GA9685@jasmine.lan
On Thu, Dec 13, 2018 at 11:52:09PM +0100, Ludovic Courtès wrote:
Toggle quote (2 lines)
> LGTM. Thanks for the patch and for the analysis!

Thanks! Pushed as edc6dd03240b8fe0a1530ce0e80637641903095e
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwVWA8ACgkQJkb6MLrK
fwgq+Q/+Kn2b3F2FwgRLj3DOgjkudn348igXIH48dCfCB5Wh2AN8Tqgszj5UCs9U
p+mCcMU8Up7/gi8rTV5EZLz5FzhCf9RjpFCAWe/kcm73hxNSEhnGCiOq2mzm123M
CWNbOw7xkseAvj6YgYQwGO2P/toKsrLSo64/vPruJSmxdHk30PZVkVZbuVL5INRJ
7DKiJTzsO8hK/l4JhK82sbk26U2V0YxXgjeolSOO/g+Gd+N/2ZOsBE1nEAVPkQMI
ySoNnWvGfjyIbKwFQLILPUEfPaLJpV/PFVahtQmr/7LVp4d01EDA6J5/tQLgutY6
r8EzUUC4I64xNWd2O/dDdF0QODwj61ehfUbfrtRaXZUrIcIkE+dclrUJ4Npeekn0
7LgaEOwRURDPUj+x4RWrNmO4aZhhj68bbNy9JGdtQ+/JkhLHlB44gLF2klD0SwN1
0ayuCdxcIQdNfRFGWBmsFxh/bjwnU/fJ3qQSsyZcLTptrnjJ4ZP2A0cFdmue4iaI
Cs1UMCaEo8X0FOerNA8fEbzjaOBtgIzHhukXnyHam3mkMnnt2sVv/0RJiRcK3bKf
LgkuS0MFndv88zJjd+ratWoGqzJo8NvTid9j4/5Avw60YCh8wLrHz2kylsz1ahfb
VJum72Tnu17a+Tm4axLwgWk1dMTDDnWdVONVJdYggFluwtF53EY=
=0r7n
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 15 Dec 2018 20:45
(no subject)
(address . control@debbugs.gnu.org)
20181215194514.GA10377@jasmine.lan
close 33730
?