<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;

        color:black;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {mso-style-priority:99;

        color:purple;

        text-decoration:underline;}

p

        {mso-style-priority:99;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;

        color:black;}

p.msonormal0, li.msonormal0, div.msonormal0

        {mso-style-name:msonormal;

        mso-margin-top-alt:auto;

        margin-right:0in;

        mso-margin-bottom-alt:auto;

        margin-left:0in;

        font-size:12.0pt;

        font-family:"Times New Roman",serif;

        color:black;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Calibri",sans-serif;

        color:#1F497D;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:10.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">

<div class="WordSection1">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Forwarding this as we have some groups that use Singularity containers.<o:p></o:p></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Regards,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#0B5AB2">Chuck Forsyth</span></b><span style="font-size:11.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>

<div>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> Terry Fleury <tfleury@illinois.edu>

<br>

<b>Sent:</b> Wednesday, September 16, 2020 1:21 PM<br>

<b>To:</b> cv-announce@trustedci.org<br>

<b>Subject:</b> [cv-announce-l] Singularity Vulnerabilities (CVE-2020-25039 and CVE-2020-25040)<o:p></o:p></span></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">CI Operators:</span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Singularity has released v3.6.3 [1] which addresses two security vulnerabilities. These vulnerabilities involve insecure permissions on temporary directories

 when a container is executed (CVE-2020-25039 [2,3]) or built (CVE-2020-25040 [4,5]). In both cases, a user with access to the system could read information from and/or write arbitrary data to the temporary directories. </span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Impact:</span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">A user with access to the system could read sensitive information from a temporary directory, or inject arbitrary content into a temporary build directory,

 allowing for unvetted code execution when the container is run. </span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Affected Software: </span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">* Singularity < v3.6.3</span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Recommendation:</span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">Upgrade to Singularity v3.6.3 at your earliest convenience. The issue is mitigated if TMPDIR is set to a location that is accessible only to the user,

 as any subdirectories directly under TMPDIR cannot be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this mitigation.</span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">References:</span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[1]

<a href="https://github.com/hpcng/singularity/releases/tag/v3.6.3">https://github.com/hpcng/singularity/releases/tag/v3.6.3</a></span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[2]

<a href="https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7">

https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7</a></span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[3]

<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25039">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25039</a></span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[4]

<a href="https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762">

https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762</a></span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">[5]

<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25040">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-25040</a></span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">How Trusted CI can help:</span><o:p></o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure

 deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (</span><a href="https://trustedci.org/help/"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">https://trustedci.org/help/</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">)

 if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.</span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:11.0pt;font-family:"Arial",sans-serif">You are receiving this message because you are subscribed to

</span><a href="https://list.iu.edu/sympa/subscribe/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">cv-announce@trustedci.org</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">.

</span><a href="https://list.iu.edu/sympa/arc/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">The archive of previous alerts</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif"> is publicly accessible.

 If you prefer not to receive future alerts, </span><a href="https://list.iu.edu/sympa/sigrequest/cv-announce-l"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">you can unsubscribe</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif">.</span><o:p></o:p></p>

</div>

</body>

</html>