GNU bug report logs - #33730
[PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].

Previous Next

Package: guix-patches;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Thu, 13 Dec 2018 20:50:01 UTC

Severity: normal

Tags: patch, security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33730 in the body.
You can then email your comments to 33730 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#33730; Package guix-patches. (Thu, 13 Dec 2018 20:50:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Thu, 13 Dec 2018 20:50:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: Singularity: Update to 2.6.1 [fixes CVE-2018-19295].
Date: Thu, 13 Dec 2018 15:48:39 -0500

Our Singularity package is not vulnerable to CVE-2018-19295 by default,
becuase that vulnerability is based on the 'mount', 'start', and
'action' Singularity binaries being installed setuid, which we do not do
in Guix.

* gnu/packages/linux.scm (singularity): Update to 2.6.1.
---
 gnu/packages/linux.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1cdf2bf47..de6439449 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -2612,7 +2612,7 @@ thanks to the use of namespaces.")
 (define-public singularity
   (package
     (name "singularity")
-    (version "2.5.1")
+    (version "2.6.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/singularityware/singularity/"
@@ -2620,7 +2620,7 @@ thanks to the use of namespaces.")
                                   "/singularity-" version ".tar.gz"))
               (sha256
                (base32
-                "0f28dgf2qcy8ljjfix7p9q36q12j7rxyicfzzi4n0fl8zr8ab88g"))))
+                "1whx0hqqi1326scgdxxxa1d94vn95mnq0drid6s8wdp84ni4d3gk"))))
     (build-system gnu-build-system)
     (arguments
      `(#:configure-flags
-- 
2.20.0
Information forwarded to guix-patches <at> gnu.org:
bug#33730; Package guix-patches. (Thu, 13 Dec 2018 22:53:02 GMT) Full text and rfc822 format available.

Message #8 received at 33730 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Leo Famulari <leo <at> famulari.name>
Cc: 33730 <at> debbugs.gnu.org
Subject: Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes
 CVE-2018-19295].
Date: Thu, 13 Dec 2018 23:52:09 +0100

Hi Leo,

Leo Famulari <leo <at> famulari.name> skribis:

> Our Singularity package is not vulnerable to CVE-2018-19295 by default,
> becuase that vulnerability is based on the 'mount', 'start', and
> 'action' Singularity binaries being installed setuid, which we do not do
> in Guix.
>
> * gnu/packages/linux.scm (singularity): Update to 2.6.1.

LGTM.  Thanks for the patch and for the analysis!

Ludo’.
Added tag(s) security. Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 13 Dec 2018 22:53:02 GMT) Full text and rfc822 format available.
Information forwarded to guix-patches <at> gnu.org:
bug#33730; Package guix-patches. (Sat, 15 Dec 2018 19:39:01 GMT) Full text and rfc822 format available.

Message #13 received at 33730 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 33730 <at> debbugs.gnu.org
Subject: Re: [bug#33730] [PATCH] gnu: Singularity: Update to 2.6.1 [fixes
 CVE-2018-19295].
Date: Sat, 15 Dec 2018 14:37:51 -0500

[Message part 1 (text/plain, inline)]
On Thu, Dec 13, 2018 at 11:52:09PM +0100, Ludovic Courtès wrote:
> LGTM.  Thanks for the patch and for the analysis!

Thanks! Pushed as edc6dd03240b8fe0a1530ce0e80637641903095e

[signature.asc (application/pgp-signature, inline)]
bug closed, send any further explanations to 33730 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name> Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Sat, 15 Dec 2018 19:46:02 GMT) Full text and rfc822 format available.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 13 Jan 2019 12:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 5 years and 105 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.