Skip to content

@GodloveD GodloveD released this May 14, 2019 · 516 commits to master since this release

Greetings Singularity community!

The 3.2.0 release contains fixes for a high severity security issue affecting Singularity >=3.1.0 on Linux kernels that support namespace requirements (pid namespace) for creating and joining instances (CVE-2019-11328). A malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Singularity 3.2.0 should be installed immediately, and all previous versions of Singularity should be removed. The vulnerability addressed in this release affects systems on which unprivileged users are permitted to initiate and join instances via the suid workflow. If you are unable to upgrade immediately, you should disable the suid workflow on your system. You can do so by setting the following in the singularity.conf file:

allow setuid = no 

In keeping with our commitment to the open source community, Sylabs is also releasing a patch that can be applied to the 3.1 series. Even though 3.2.0 technically deprecates all previous versions of Singularity, interested parties can find the patch to fix this vulnerability in the 3.1 series at the following link:

https://repo.sylabs.io/security/2019/CVE-2019-11328.diff

In addition to a security patch, 3.2.0 has a lot of great features. Highlights include a new plugin system, the added ability to create multi-stage builds, and better integration with the Singularity Container Services KeyStore. More details appear in the release notes below:

Security related fix

  • Instance files are now stored in user's home directory for privacy and many checks have been added to ensure that a user can't manipulate files to change starter-suid behavior when instances are joined
    (many thanks to Matthias Gerstner from the SUSE security team for finding and securely reporting this vulnerability)

New features / functionalities

  • Introduced a new basic framework for creating and managing plugins
  • Added the ability to create containers through multi-stage builds
  • Created the concept of a Sylabs Cloud "remote" endpoint and added the ability for users and admins to set them through CLI and conf files
  • Added caching for images from Singularity Hub
  • Made it possible to compile Singularity outside of $GOPATH
  • Added a json partition to SIF files for OCI configuration when building from an OCI source
  • Full integration with Singularity desktop for MacOS code base

New Commands

  • Introduced the plugin command group for creating and managing plugins

    • compile Compile a singularity plugin
    • disable disable an installed singularity plugin
    • enable Enable an installed singularity plugin
    • inspect Inspect a singularity plugin (either an installed one or an image)
    • install Install a singularity plugin
    • list List installed singularity plugins
    • uninstall Uninstall removes the named plugin from the system
  • Introduced the remote command group to support management of Singularity endpoints:

    • add Create a new Sylabs Cloud remote endpoint
    • list List all remote endpoints that are configured
    • login Log into a remote endpoint using an authentication token
    • remove Remove an existing Sylabs Cloud remote endpoint
    • status Check the status of the services at an endpoint
    • use Set a remote endpoint to be used by default
  • Added to the key command group to improve PGP key management:

    • export Export a public or private key into a specific file
    • import Import a local key into the local keyring
    • remove Remove a local public key
  • Added the Stage: <name> keyword to the definition file header and the from <stage name> option/argument pair to the %files section to support multistage builds

Deprecated / removed commands

  • The --token/-t option has been deprecated in favor of the singularity remote command group

Changed defaults / behaviors

  • Ask to confirm password on a newly generated PGP key
  • Prompt to push a key to the KeyStore when generated
  • Refuse to push an unsigned container unless overridden with --allow-unauthenticated/-U option
  • Warn and prompt when pulling an unsigned container without the --allow-unauthenticated/-U option

As always, please report any bugs to:
https://github.com/sylabs/singularity/issues/new

And if you think that you've discovered a security vulnerability please report it to:
security@sylabs.io

Assets 3
You can’t perform that action at this time.