@GodloveD GodloveD released this Apr 27, 2018 · 3341 commits to master since this release

Assets 3

Greetings Singularity containerizers!

This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It's a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below).

Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity.

Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels.

Security related fixes

Patches are provided to prevent a malicious user with the ability to log in to
the host system and use the Singularity container runtime from carrying out any
of the following actions:

  • Create world writable files in root-owned directories on the host system by
    manipulating symbolic links and bind mounts
  • Create folders outside of the container by manipulating symbolic links in
    conjunction with the --nv option or by bypassing check_mounted function
    with relative symlinks
  • Bypass the enable overlay = no option in the singularity.conf
    configuration file by setting an environment variable
  • Exploit buffer overflows in src/util/daemon.c and/or
    src/lib/image/ext3/init.c (reported by Erik Sjölund (DBB, Stockholm
    University, Sweden))
  • Forge of the pid_path to join any Singularity namespace (reported by Erik
    Sjölund (DBB, Stockholm University, Sweden))

Implemented enhancements

  • Restore docker-extract aufs whiteout handling that implements correct
    extraction of docker container layers. This adds libarchive-devel as a
    build time dep. At runtime libarchive is needed for whiteout handling. If
    libarchive is not available at runtime will fall back to previous
    extraction method.
  • Changed behavior of SINGULARITYENV_PATH to overwrite container PATH and
    wanting to prepend or append to the container PATH at runtime

Bug fixes

  • Support pulls from the NVIDIA cloud docker registry (fix by Justin Riley,
  • Close socket file descriptors in fd_cleanup
  • Fix conflict between --nv and --contain options
  • Throw errors at build and runtime if NO_NEW_PRIVS is not present and working
  • Reset umask to 0022 at start to correct several errors
  • Verify docker layers after download with sha256 checksum
  • Do not make excessive requests for auth tokens to docker registries
  • Fixed stripping whitespaces and empty new lines for the app commands (fix by
    Rafal Gumienny, Biozentrum, Basel)
  • Improved the way that working directory is mounted
  • Fixed an out of bounds array in src/lib/image/ext3/init.c

And as always, report any bugs to: