Has CVE-2023-30549 been fixed for singularity?

[nileshpatra]

*Type of issue
Potential security bug.

Description of issue
The bug CVE-2023-30549 affects apptainer and since singularity and apptainer have a significant overlap in their codebase, does it affect singularity too, and has it been fixed?

There's a debian bug report that says:

The following vulnerability was published for singularity-container.
The issue originally reference for apptainer is affecting in same way
singularity.

Please comment.

[dtrudg]

Hi @nileshpatra - we consider that CVE-2023-30549 is fundamentally a duplicate of a kernel filesystem bug, that should be fixed by updating or patching the kernel. For Debian that underlying bug would be: https://security-tracker.debian.org/tracker/CVE-2022-1184

Sylabs has a detailed response to the Apptainer CVE here: https://sylabs.io/2023/04/response-to-cve-2023-30549/

We do not disable kernel mounts by default (like Apptainer has), because the underlying filesystem vulnerability has been fixed in the upstream/LTS kernel, and many users rely on overlay support in SingularityCE.

We would recommend that packagers / admins read the blog post linked above. They should consider whether their Linux distribution has been able to patch the underlying filesystem vulnerability, or if they should enable the mitigation to disable kernel mounts that was introduced in recent versions of SingularityCE. That kernel mount disabling is via singularity.conf as documented here:

https://docs.sylabs.io/guides/latest/admin-guide/configfiles.html#disabling-kernel-filesystem-mounts

[dtrudg]

I will now move this issue to a discussion, as it's a question, rather than an issue to be addressed through development work.

[dtrudg]

Looks like, from the Debian discussion at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035026, this is resolved. Closing.