singularity-3.8.5-2 available in EPEL and Fedora testing
24 views
Skip to first unread message
Dave Dykstra
Dec 16, 2021, 10:07:35 AM12/16/21
to singu...@lbl.gov, wlcg-co...@cern.ch
singularity-3.8.5-2, which has been recompiled with go 1.16.12, is
now available in epel-testing and Fedora testing yum repositories.
I encourage everyone to upgrade. If you do and it works fine, please
provide karma at
https://bodhi.fedoraproject.org/updates/?search=singularity
If 3 people provide positive karma for a particular OS version it can be
promoted to stable sooner, otherwise they should be promoted in about a
week.
Dave
On Tue, Dec 14, 2021 at 05:55:20PM -0600, Dave Dykstra wrote:
> All previously built packages of singularity may be vulnerable to a
> golang CVE, detailed in this release announcement of go 1.16.12 and
> 1.17.5, which has a fix:
> https://groups.google.com/g/golang-announce/c/hcmEScgc00k
>
> The problem was with syscall.ForkExec, and even though there is no
> specific known exploit, singularity uses that system call so it might be
> affected. This is what the announcement says:
>
> syscall: don’t close fd 0 on ForkExec error
>
> When a Go program running on a Unix system is out of file
> descriptors and calls syscall.ForkExec (including indirectly by
> using the os/exec package), syscall.ForkExec can close file
> descriptor 0 as it fails. If this happens (or can be provoked)
> repeatedly, it can result in misdirected I/O such as writing network
> traffic intended for one connection to a different connection, or
> content intended for one file to a different one.
>
> It also says "For users who cannot immediately update to the new
> release, the bug can be mitigated by raising the per-process file
> descriptor limit" but an intentional attempt to trigger this bug can
> probably get around that, so it would be safest to recompile all
> singularity installations with golang 1.16.12 or 1.17.5, particularly
> those that are setuid installations.
>
> I am rebuilding the EPEL & Fedora rpms and will send a separate
> announcement when they are available.
>
> Dave Dykstra
> Apptainer security lead
now available in epel-testing and Fedora testing yum repositories.
I encourage everyone to upgrade. If you do and it works fine, please
provide karma at
https://bodhi.fedoraproject.org/updates/?search=singularity
If 3 people provide positive karma for a particular OS version it can be
promoted to stable sooner, otherwise they should be promoted in about a
week.
Dave
On Tue, Dec 14, 2021 at 05:55:20PM -0600, Dave Dykstra wrote:
> All previously built packages of singularity may be vulnerable to a
> golang CVE, detailed in this release announcement of go 1.16.12 and
> 1.17.5, which has a fix:
> https://groups.google.com/g/golang-announce/c/hcmEScgc00k
>
> The problem was with syscall.ForkExec, and even though there is no
> specific known exploit, singularity uses that system call so it might be
> affected. This is what the announcement says:
>
> syscall: don’t close fd 0 on ForkExec error
>
> When a Go program running on a Unix system is out of file
> descriptors and calls syscall.ForkExec (including indirectly by
> using the os/exec package), syscall.ForkExec can close file
> descriptor 0 as it fails. If this happens (or can be provoked)
> repeatedly, it can result in misdirected I/O such as writing network
> traffic intended for one connection to a different connection, or
> content intended for one file to a different one.
>
> It also says "For users who cannot immediately update to the new
> release, the bug can be mitigated by raising the per-process file
> descriptor limit" but an intentional attempt to trigger this bug can
> probably get around that, so it would be safest to recompile all
> singularity installations with golang 1.16.12 or 1.17.5, particularly
> those that are setuid installations.
>
> I am rebuilding the EPEL & Fedora rpms and will send a separate
> announcement when they are available.
>
> Dave Dykstra
> Apptainer security lead
Reply all
Reply to author
Forward
0 new messages