This release includes fixes for several high and medium severity security issues. It also contains a whole slew of bug fixes including the much awaited docker aufs whiteout file fix. It’s a new release instead of a point release because it adds a new dependency to handle this bug, includes some new (albeit minor) feature enhancements, and changes the behavior of a few environment variables (see below).
Singularity 2.5 should be installed immediately and all previous versions of Singularity should be removed. Many of the vulnerabilities fixed in this release are expected to affect all Linux distributions regardless of whether they implement overlayfs. There are no mitigations or workarounds for these issues outside of updating Singularity.
Additionally, Singularity 2.5 drops support for hosts that do not support the prctl() function PR_SET_NO_NEW_PRIVS. The PR_SET_NO_NEW_PRIVS feature was added to prctl() in the Linux 3.5 kernel. Various distributions have since backported this feature to currently maintained kernels (for example, Red Hat added this feature to RHEL 6.7 with the 2.6.32-504.16.2 kernel). Kernels that do not have this feature are inherently insecure in many ways. They do not implement container runtimes securely. Blocks have therefore been put in place to prevent Singularity 2.5 from building or running on vulnerable kernels.
Security related fixes
Patches are provided to prevent a malicious user with the ability to log in to the host system and use the Singularity container runtime from carrying out any of the following actions:
- Create world writable files in root-owned directories on the host system by manipulating symbolic links and bind mounts
- Create folders outside of the container by manipulating symbolic links in conjunction with the –nv option or by bypassing check_mounted function with relative symlinks
- Bypass the enable overlay = no option in the singularity.conf configuration file by setting an environment variable
- Exploit buffer overflows in src/util/daemon.c and/or src/lib/image/ext3/init.c (reported by Erik Sjölund (DBB, Stockholm University, Sweden))
- Forge of the pid_path to join any Singularity namespace (reported by Erik Sjölund (DBB, Stockholm University, Sweden))
- Restore docker-extract aufs whiteout handling that implements correct extraction of docker container layers. This adds libarchive-devel as a build time dep. At runtime libarchive is needed for whiteout handling. If libarchive is not available at runtime will fall back to previous extraction method.
- Changed behavior of SINGULARITYENV_PATH to overwrite container PATH and added SINGULARITYENV_PREPEND_PATH and SINGULARITYENV_APPEND_PATH for users wanting to prepend or append to the container PATH at runtime
- Support pulls from the NVIDIA cloud docker registry (fix by Justin Riley, Harvard)
- Close socket file descriptors in fd_cleanup
- Fix conflict between –nv and –contain options
- Throw errors at build and runtime if NO_NEW_PRIVS is not present and working
- Reset umask to 0022 at start to correct several errors
- Verify docker layers after download with sha256 checksum
- Do not make excessive requests for auth tokens to docker registries
- Fixed stripping whitespaces and empty new lines for the app commands (fix by Rafal Gumienny, Biozentrum, Basel)
- Improved the way that working directory is mounted Fixed an out of bounds array in src/lib/image/ext3/init.c
And as always, report any bugs to: https://github.com/singularityware/singularity/issues/new
For the full release announcement and downloads, please see the release on GitHub.