GNU bug report logs

#33730 [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Leo Famulari <leo@famulari.name>
Date 2018-12-13T20:50:01
Severity normal
Tags patch security
Done Leo Famulari <leo@famulari.name>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#33730; Package guix-patches. (Thu, 13 Dec 2018 20:50:01 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Thu, 13 Dec 2018 20:50:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Our Singularity package is not vulnerable to CVE-2018-19295 by default,
becuase that vulnerability is based on the 'mount', 'start', and
'action' Singularity binaries being installed setuid, which we do not do
in Guix.

* gnu/packages/linux.scm (singularity): Update to 2.6.1.
---
 gnu/packages/linux.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1cdf2bf47..de6439449 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -2612,7 +2612,7 @@ thanks to the use of namespaces.")
 (define-public singularity
   (package
     (name "singularity")
-    (version "2.5.1")
+    (version "2.6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/singularityware/singularity/"
@@ -2620,7 +2620,7 @@ thanks to the use of namespaces.")
                                   "/singularity-" version ".tar.gz"))
               (sha256
                (base32
-                "0f28dgf2qcy8ljjfix7p9q36q12j7rxyicfzzi4n0fl8zr8ab88g"))))
+                "1whx0hqqi1326scgdxxxa1d94vn95mnq0drid6s8wdp84ni4d3gk"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
-- 
2.20.0

Information forwarded to guix-patches@gnu.org:
bug#33730; Package guix-patches. (Thu, 13 Dec 2018 22:53:02 GMT) (full text, mbox, link).

Message #8 received at 33730@debbugs.gnu.org (full text, mbox, reply):

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> Our Singularity package is not vulnerable to CVE-2018-19295 by default,
> becuase that vulnerability is based on the 'mount', 'start', and
> 'action' Singularity binaries being installed setuid, which we do not do
> in Guix.
>
> * gnu/packages/linux.scm (singularity): Update to 2.6.1.

LGTM.  Thanks for the patch and for the analysis!

Ludo’.

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Thu, 13 Dec 2018 22:53:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#33730; Package guix-patches. (Sat, 15 Dec 2018 19:39:01 GMT) (full text, mbox, link).

Message #13 received at 33730@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Dec 13, 2018 at 11:52:09PM +0100, Ludovic Courtès wrote:
> LGTM.  Thanks for the patch and for the analysis!

Thanks! Pushed as edc6dd03240b8fe0a1530ce0e80637641903095e

[signature.asc (application/pgp-signature, inline)]

bug closed, send any further explanations to 33730@debbugs.gnu.org and Leo Famulari <leo@famulari.name> Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Sat, 15 Dec 2018 19:46:02 GMT) (full text, mbox, link).

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Sun, 13 Jan 2019 12:24:05 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 14:41:51 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.