CVE-2020-15229: Path traversal and files overwrite with unsquashfs
First published: Wed Oct 14 2020(Updated: )
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sylabs Singularity | >=3.1.1<=3.6.3 | |
| openSUSE Backports SLE | =15.0-sp2 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html
- https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes
- https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e
- https://github.com/hpcng/singularity/pull/5611
- https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9
Frequently Asked Questions
What is the severity of CVE-2020-15229?
The severity of CVE-2020-15229 is critical with a CVSS score of 9.3.
How does CVE-2020-15229 affect Singularity?
CVE-2020-15229 affects Singularity versions 3.1.1 through 3.6.3.
What is the vulnerability in CVE-2020-15229?
CVE-2020-15229 is a vulnerability in Singularity that allows for path traversal and improper path handling in `unsquashfs`, leading to potential file overwriting or creation on the host filesystem during extraction.
What software is affected by CVE-2020-15229?
CVE-2020-15229 affects Sylabs Singularity, openSUSE Backports SLE 15.0 SP2, openSUSE Leap 15.1, and openSUSE Leap 15.2.
How can I fix CVE-2020-15229?
To fix CVE-2020-15229, it is recommended to update to a fixed version of Singularity (3.6.4 or later) or apply the necessary patches provided by the vendor.
- collector/nvd-index
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/sylabs
- canonical/sylabs singularity
- version/sylabs singularity/3.1.1
- version/sylabs singularity/3.6.3
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp2
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2