golang CVE-2021-44717 may affect singularity binaries
177 views
Skip to first unread message
Dave Dykstra
Dec 14, 2021, 6:55:24 PM12/14/21
to singu...@lbl.gov, wlcg-co...@cern.ch
All previously built packages of singularity may be vulnerable to a
golang CVE, detailed in this release announcement of go 1.16.12 and
1.17.5, which has a fix:
https://groups.google.com/g/golang-announce/c/hcmEScgc00k
The problem was with syscall.ForkExec, and even though there is no
specific known exploit, singularity uses that system call so it might be
affected. This is what the announcement says:
syscall: don’t close fd 0 on ForkExec error
When a Go program running on a Unix system is out of file
descriptors and calls syscall.ForkExec (including indirectly by
using the os/exec package), syscall.ForkExec can close file
descriptor 0 as it fails. If this happens (or can be provoked)
repeatedly, it can result in misdirected I/O such as writing network
traffic intended for one connection to a different connection, or
content intended for one file to a different one.
It also says "For users who cannot immediately update to the new
release, the bug can be mitigated by raising the per-process file
descriptor limit" but an intentional attempt to trigger this bug can
probably get around that, so it would be safest to recompile all
singularity installations with golang 1.16.12 or 1.17.5, particularly
those that are setuid installations.
I am rebuilding the EPEL & Fedora rpms and will send a separate
announcement when they are available.
Dave Dykstra
Apptainer security lead
golang CVE, detailed in this release announcement of go 1.16.12 and
1.17.5, which has a fix:
https://groups.google.com/g/golang-announce/c/hcmEScgc00k
The problem was with syscall.ForkExec, and even though there is no
specific known exploit, singularity uses that system call so it might be
affected. This is what the announcement says:
syscall: don’t close fd 0 on ForkExec error
When a Go program running on a Unix system is out of file
descriptors and calls syscall.ForkExec (including indirectly by
using the os/exec package), syscall.ForkExec can close file
descriptor 0 as it fails. If this happens (or can be provoked)
repeatedly, it can result in misdirected I/O such as writing network
traffic intended for one connection to a different connection, or
content intended for one file to a different one.
It also says "For users who cannot immediately update to the new
release, the bug can be mitigated by raising the per-process file
descriptor limit" but an intentional attempt to trigger this bug can
probably get around that, so it would be safest to recompile all
singularity installations with golang 1.16.12 or 1.17.5, particularly
those that are setuid installations.
I am rebuilding the EPEL & Fedora rpms and will send a separate
announcement when they are available.
Dave Dykstra
Apptainer security lead
Reply all
Reply to author
Forward
0 new messages