[PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 13 Dec 2018 21:48
(address . guix-patches@gnu.org)
b3ac8bd5d34c01dd2eb6897015fc931c6fc15770.1544734119.git.leo@famulari.name
Our Singularity package is not vulnerable to CVE-2018-19295 by default,
becuase that vulnerability is based on the 'mount', 'start', and
'action' Singularity binaries being installed setuid, which we do not do
in Guix.

* gnu/packages/linux.scm (singularity): Update to 2.6.1.
---
gnu/packages/linux.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (24 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1cdf2bf47..de6439449 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -2612,7 +2612,7 @@ thanks to the use of namespaces.")
(define-public singularity
(package
(name "singularity")
- (version "2.5.1")
+ (version "2.6.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/singularityware/singularity/"
@@ -2620,7 +2620,7 @@ thanks to the use of namespaces.")
"/singularity-" version ".tar.gz"))
(sha256
(base32
- "0f28dgf2qcy8ljjfix7p9q36q12j7rxyicfzzi4n0fl8zr8ab88g"))))
+ "1whx0hqqi1326scgdxxxa1d94vn95mnq0drid6s8wdp84ni4d3gk"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags
--
2.20.0
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
(name . Leo Famulari)(address . leo@famulari.name)(address . 33730@debbugs.gnu.org)
87wood82g6.fsf@gnu.org
Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (7 lines)
> Our Singularity package is not vulnerable to CVE-2018-19295 by default,
> becuase that vulnerability is based on the 'mount', 'start', and
> 'action' Singularity binaries being installed setuid, which we do not do
> in Guix.
>
> * gnu/packages/linux.scm (singularity): Update to 2.6.1.

LGTM. Thanks for the patch and for the analysis!

Ludo’.
L
L
Ludovic Courtès wrote on 13 Dec 2018 23:52
control message for bug #33730
(address . control@debbugs.gnu.org)
87va3x82g0.fsf@gnu.org
tags 33730 security
L
L
Leo Famulari wrote on 15 Dec 2018 20:37
Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 33730@debbugs.gnu.org)
20181215193751.GA9685@jasmine.lan
On Thu, Dec 13, 2018 at 11:52:09PM +0100, Ludovic Courtès wrote:
Toggle quote (2 lines)
> LGTM. Thanks for the patch and for the analysis!

Thanks! Pushed as edc6dd03240b8fe0a1530ce0e80637641903095e
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlwVWA8ACgkQJkb6MLrK
fwgq+Q/+Kn2b3F2FwgRLj3DOgjkudn348igXIH48dCfCB5Wh2AN8Tqgszj5UCs9U
p+mCcMU8Up7/gi8rTV5EZLz5FzhCf9RjpFCAWe/kcm73hxNSEhnGCiOq2mzm123M
CWNbOw7xkseAvj6YgYQwGO2P/toKsrLSo64/vPruJSmxdHk30PZVkVZbuVL5INRJ
7DKiJTzsO8hK/l4JhK82sbk26U2V0YxXgjeolSOO/g+Gd+N/2ZOsBE1nEAVPkQMI
ySoNnWvGfjyIbKwFQLILPUEfPaLJpV/PFVahtQmr/7LVp4d01EDA6J5/tQLgutY6
r8EzUUC4I64xNWd2O/dDdF0QODwj61ehfUbfrtRaXZUrIcIkE+dclrUJ4Npeekn0
7LgaEOwRURDPUj+x4RWrNmO4aZhhj68bbNy9JGdtQ+/JkhLHlB44gLF2klD0SwN1
0ayuCdxcIQdNfRFGWBmsFxh/bjwnU/fJ3qQSsyZcLTptrnjJ4ZP2A0cFdmue4iaI
Cs1UMCaEo8X0FOerNA8fEbzjaOBtgIzHhukXnyHam3mkMnnt2sVv/0RJiRcK3bKf
LgkuS0MFndv88zJjd+ratWoGqzJo8NvTid9j4/5Avw60YCh8wLrHz2kylsz1ahfb
VJum72Tnu17a+Tm4axLwgWk1dMTDDnWdVONVJdYggFluwtF53EY=
=0r7n
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 15 Dec 2018 20:45
(no subject)
(address . control@debbugs.gnu.org)
20181215194514.GA10377@jasmine.lan
close 33730
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33730@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33730
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch