Bug 29027

openSUSE has issued an advisory for this today (May 30):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U5WJLLGD3LSUWRS73C4NPIWYTMST4QO5/

Fedora has issued an advisory for this on June 4:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D2IU6GJMCV5CQKUQZLHBP6EHSIZZXC3X/

Fixed in mga9 ( we have the version 3.8.3 )

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => mageia

for CVE-2021-32635 we are not affected in mga8 see: https://github.com/apptainer/singularity/security/advisories/GHSA-jq42-hfch-42f3


CVE-2021-29136 is now fixed in mga8:

src:
    - singularity-3.7.0-1.1.mga8

Status comment: Fixed upstream in 3.7.4 => (none)
Assignee: joequant => qa-bugs
CC: (none) => joequant

openSUSE has issued an advisory on December 4:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/L3AGIEOXZIUUEYYMWKJCJCQI7V235UTR/

The issue is fixed upstream in 3.8.5.

Mageia 8 is also affected.

Summary: singularity new security issue CVE-2021-29136 and CVE-2021-32635 => singularity new security issue CVE-2021-29136, CVE-2021-32635, CVE-2021-41190
Status comment: (none) => Fixed upstream in 3.8.5
Assignee: qa-bugs => joequant
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron

already updated in mga9

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

New version pushed in mga8:

src:
    - singularity-3.8.5-1.mga8

Assignee: joequant => qa-bugs
Status comment: Fixed upstream in 3.8.5 => (none)

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
No previous updates, no wiki, so tried on my own:
$ singularity 
Usage:
  singularity [global options...] <command>

Available Commands:
  build       Build a Singularity image
  cache       Manage the local cache
  capability  Manage Linux capabilities for users and groups
  completion  generate the autocompletion script for the specified shell
  config      Manage various singularity configuration (root user only)
  delete      Deletes requested image from the library
  exec        Run a command within a container
  inspect     Show metadata for an image
  instance    Manage containers running as services
  key         Manage OpenPGP keys
  oci         Manage OCI containers
  overlay     Manage an EXT3 writable overlay image
  plugin      Manage Singularity plugins
  pull        Pull an image from a URI
  push        Upload image to the provided URI
  remote      Manage singularity remote endpoints, keyservers and OCI/Docker registry credentials
  run         Run the user-defined default command within a container
  run-help    Show the user-defined help for an image
  search      Search a Container Library for images
  shell       Run a shell within a container
  sif         siftool is a program for Singularity Image Format (SIF) file manipulation
  sign        Attach digital signature(s) to an image
  test        Run the user-defined tests within a container
  verify      Verify cryptographic signatures attached to an image
  version     Show the version for Singularity

Run 'singularity --help' for more detailed usage information.
$ singularity version
3.8.5-1.mga8

singularity --help showed a lot of ugly details, so went to Google and found
https://singularity-tutorial.github.io/02-basic-usage/
Followed these
$ singularity pull library://godlovedc/funny/lolcow
INFO:    Downloading library image
89.2MiB / 89.2MiB [==============================================================================================================================================================================] 100 % 2.4 MiB/s 0s
WARNING: integrity: signature not found for object group 1
WARNING: Skipping container verification
[tester8@mach5 testupdates]$ singularity shell lolcow_latest.sif
Singularity> cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.5 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.5 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
Singularity> whoami
tester8
Singularity> hostname
mach5.hviaene.thuis
Singularity> which cowsay
/usr/games/cowsay
Singularity> cowsay moo
 _____
< moo >
 -----
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
Singularity> fortune | cowsay | lolcat
 ________________________________________
/ At once it struck me what quality went \
| to form a man of achievement,          |
| especially in literature, and which    |
| Shakespeare possessed so enormously -- |
| I mean negative capability, that is,   |
| when a man is capable of being in      |
| uncertainties, mysteries, doubts,      |
| without any irritable reaching after   |
| fact and reason.                       |
|                                        |
\ -- John Keats                          /
 ----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
So apparently the thingie works , unless someone wants to dig deeper.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

More enlightened than any cow I've ever known.

Validating, before she does it for me.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0006.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED