Hi Nilesh, On Tue, Aug 01, 2023 at 09:33:16PM +0530, Nilesh Patra wrote: > On Tue, Aug 01, 2023 at 05:10:10PM +0200, Salvatore Bonaccorso wrote: > > On Tue, Aug 01, 2023 at 07:57:22PM +0530, Nilesh Patra wrote: > > > I asked this upstream[1] and upstream thinks that this is actually an > > > issue with the kernel filesystem itself, and this is not a singularity > > > issue per se. They even have a blogpost about the same giving more > > > details on the CVE. I suppose there's nothing I can do as a package > > > maintainer to act upon the bug. > > > > > > I've also CC'ed David (upstream) to this mail, to keep them in the loop > > > as well. > > > > > > What do you think? > > > > Okay I see there is disagreement on the Apptainer project on Sylabs on > > this and understand the reasoning outlined in the response blogpost. I > > will mark the CVE entry as unimportant and add a rationale for it, in > > particular because for the suites where singularity-container is > > available, the known CVE-2022-1184 is patched. > > Thank you! > > > The Apptainer rationale > > is as explained though more broad and not referring only to this known > > CVE. > > > > Given that, I'm fine if you close the bugreport following the upstream > > response to their view on CVE-2023-30549. > > > > What you could do as packager, once this configuration option in a new > > security-container is available to put it in reference with > > CVE-2023-30549, maybe. > > I think this was introduced in version 3.11.2 as per the changelog > mention > > > https://github.com/sylabs/singularity/blob/main/CHANGELOG.md#3112-2023-04-27 > > However, I had already uploaded 3.11.4 to unstable before I saw this bug > report, sorry about that. I'll mention this in the bookworm-fasttrack upload > in that case.
Ah perfect. I ammended the entry again and considering the issue fixed from our persective with 3.11.4+ds1-1 plus a reference to the upstrema changelog entry. > > > > Note: If I do not hear from you in a week, I'll close this bug report. > > > > Quite tight pressure given there is as well general > > I wanted to upload this to bookworm before next week. To my surprise, > there are actually users consuming this package from there, so I just > wanted to make it a little quick :) Was all not that serious, but wanted to put away some time pressure from me on the decision making. All good. > > summer vacation times ;-) > > There are _currently_ no summer vacation times in the part of the world I > live in. > It was infact, raining quite heavily since past few days, so I didn't > realise the vac stuff for you :-) Ah right :) Regards, Salvatore
