SUSE 5099 Published by

An apptainer security update has been released for openSUSE Leap 15.4.



openSUSE-SU-2023:0018-1: moderate: Security update for apptainer


openSUSE Security Update: Security update for apptainer
______________________________________________________________________________

Announcement ID: openSUSE-SU-2023:0018-1
Rating: moderate
References:
Cross-References: CVE-2021-44716 CVE-2021-44717 CVE-2022-39237

CVSS scores:
CVE-2021-44716 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-44716 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-44717 (NVD) : 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE-2022-39237 (NVD) : 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Leap 15.4
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for apptainer fixes the following issues:

Updated to 1.1.2 which fixed CVE-2022-39237

* CVE-2022-39237: The sif dependency included in Apptainer before this
release does not verify that the hash algorithm(s) used are
cryptographically secure when verifying digital signatures. This
release updates to sif v2.8.1 which corrects this issue. See the
linked advisory for references and a workaround.

Updated to version 1.1.0

* added squashfuse-0.1.105.tar.gz and 70.patch for the build of
squashfuse_ll which will be removed as soon as the multithread patch
is incoperated
* Change squash mounts to prefer to use squashfuse_ll instead of
squashfuse, if available, for improved performance. squashfuse_ll is
not available in factory.
* Also, for even better parallel performance, include a patched
multithreaded version of squashfuse_ll in
* Imply adding ${prefix}/libexec/apptainer/bin to the binary path in
apptainer.conf, which is used for searching for helper executables. It
is implied as the first directory of $PATH if present (which is at the
beginning of binary path by default) or just as the first directory if
$PATH is not included in binary path. ${prefix}/libexec/apptainer/bin.
* Add --unsquash action flag to temporarily convert a SIF file to a
sandbox before running. In previous versions this was the default when
running a SIF file without setuid or with fakeroot, but now the
default is to instead mount with squashfuse.
* Add --sparse flag to overlay create command to allow generation of a
sparse ext3 overlay image.
* Support for a custom hashbang in the %test section of an Apptainer
recipe (akin to the runscript and start sections).
* When using fakeroot in setuid mode, have the image drivers first enter
the the container's user namespace to avoid write errors with overlays.
* Skip trying to use kernel overlayfs when using writable overlay and
the lower layer is FUSE, because of a kernel bug introduced in kernel
5.15.
* Add additional hidden options to the action command for testing
different fakeroot modes with --fakeroot: --ignore-subuid,
--ignore-fakeroot-command, and --ignore-userns.

- Updated to version 1.1.0-rc2 with following changes:

* Fixed longstanding bug in the underlay logic when there are nested
bind points separated by more than one path level, for example /var
and /var/lib/yum, and the path didn't exist in the container image.
The bug
only caused an error when there was a directory in the container image
that didn't exist on the host.
* Improved wildcard matching in the %files directive of build definition
files by replacing usage of sh with the mvdan.cc library.
* Replaced checks for compatible filesystem types when using
fuse-overlayfs with an INFO message when an incompatible filesystem
type causes it to be unwritable by a fakeroot user.
* The --nvccli option now works without --fakeroot. In that case the
option can be used with --writable-tmpfs instead of --writable, and
--writable-tmpfs is implied if neither option is given. Note that also
/usr/bin has to be writable by the user, so without --fakeroot that
probably requires a sandbox image that was built with --fix-perms.
* The --nvccli option implies --nv.
* Configure squashfuse to always show files to be owned by the current
user. That's especially important for fakeroot to prevent most of the
files from looking like they are owned by user 65534.
* The fakeroot command can now be used even if $PATH is empty in the
environment of the apptainer command.
* Allow the newuidmap command to be missing if the current user is not
listed in /etc/subuid.
* Require the uidmap package in Debian packaging.
* Improved error handling of unsupported pass protected PEM files with
encrypted containers.
* Ensure bootstrap_history directory is populated with previous
definition files, present in source containers used in a build.
* Add additional options to the build command for testing different
fakeroot modes: --userns like the action flag and hidden options
--ignore-subuid,
--ignore-fakeroot-command, and --ignore-userns.
* Require root user early when building an encrypted container.
- removed upstream incorated patch fix-32bit-compilation.patch

- Updated to version 1.1.0-rc1 which enables apptainer to run without suid
and additional groups. Although this is a prerelease this is a major
advantage justifying its use.
* Added a squashfuse image driver that enables mounting SIF files
without using setuid-root. Requires the squashfuse command and
unprivileged user namespaces.
* Added a fuse2fs image driver that enables mounting EXT3 files and EXT3
SIF
overlay partitions without using setuid-root. Requires the fuse2fs
command and unprivileged user namespaces.
* Added the ability to use persistent overlay (--overlay) and
--writable-tmpfs without using setuid-root. This requires unprivileged
user namespaces and either a new enough kernel (>= 5.11) or the
fuse-overlayfs command. Persistent overlay works when the overlay
path points to a regular filesystem (known as "sandbox" mode, which
is not allowed when in setuid mode), or when it points to an EXT3
image. Does not work with a SIF partition because that requires
privileges to mount as an ext3 image.
* Extended the --fakeroot option to be useful when /etc/subuid and
/etc/subgid mappings have not been set up. If they have not been set
up, a root-mapped unprivileged user namespace (the equivalent of
unshare -r) and/or the fakeroot command from the host will be tried.
Together they emulate the mappings pretty well but they are simpler to
administer. This feature is especially useful with the --overlay and
--writable-tmpfs
options and for building containers unprivileged, because they allow
installing packages that assume they're running as root. A limitation
on using it with --overlay and --writable-tmpfs however is that when
only the fakeroot command can be used (because there are no user
namespaces available, in suid mode) then the base image has to be a
sandbox. This feature works nested inside of an apptainer container,
where another apptainer command will also be in the fakeroot
environment without requesting the --fakeroot option again, or it can
be used inside an apptainer container that was not started with
--fakeroot. However, the fakeroot command uses LD_PRELOAD and so
needs to be bound into the container which requires a compatible
libc. For that reason it doesn't work when the host and container
operating systems are of very different vintages. If that's a problem
and you want to use only an unprivileged root-mapped namespace even
when the fakeroot command is installed, just run apptainer with
unshare -r.
* Made the --fakeroot option be implied when an unprivileged user builds
a container from a definition file. When /etc/subuid and /etc/subgid
mappings are not available, all scriptlets are run in a root-mapped
unprivileged namespace (when possible) and the %post scriptlet is
additionally run with the fakeroot command. When unprivileged user
namespaces are not available, such that only the fakeroot command can
be used, the --fix-perms option is implied to allow writing into
directories.
* Added a --fakeroot option to the apptainer overlay create command to
make an overlay EXT3 image file that works with the fakeroot that
comes from unprivileged root-mapped namespaces. This is not needed
with the fakeroot that comes with /etc/sub[ug]id mappings nor with the
fakeroot that comes with only the fakeroot command in suid flow.
* $HOME is now used to find the user's configuration and cache by
default. If that is not set it will fall back to the previous behavior
of looking up the home directory in the password file. The value of
$HOME inside the container still defaults to the home directory in the
password file and can still be overridden by the --home option.
* When starting a container, if the user has specified the cwd by using
the
--pwd flag, if there is a problem an error is returned instead of
defaulting to a different directory.
* Nesting of bind mounts now works even when a --bind option specified a
different source and destination with a colon between them. Now the
APPTAINER_BIND environment variable makes sure the bind source is from
the bind destination so it will be succesfully re-bound into a nested
apptainer container.
* The warning about more than 50 bind mounts required for an underlay
bind has been changed to an info message.
* oci mount sets Process.Terminal: true when creating an OCI
config.json, so that oci run provides expected interactive behavior by
default. The default hostname for oci mount containers is now
apptainer instead of mrsdalloway.
* systemd is now supported and used as the default cgroups manager. Set
systemd cgroups = no in apptainer.conf to manage cgroups directly via
the cgroupfs.
* Added a new action flag --no-eval which:
+ Prevents shell evaluation of APPTAINERENV_ / --env / --env-file
environment variables as they are injected in the container, to match OCI
behavior. Applies to all containers.
+ Prevents shell evaluation of the values of CMD / ENTRYPOINT and
command line arguments for containers run or built directly from an
OCI/Docker source. Applies to newly built containers only, use apptainer
inspect to check version that container was built with.
* Added --no-eval to the list of flags set by the OCI/Docker --compat
mode.
* sinit process has been renamed to appinit.
* Added --keysdir to key command to provide an alternative way of
setting local keyring path. The existing reading of the keyring path
from environment variable 'APPTAINER_KEYSDIR' is untouched.
* apptainer key push will output the key server's response if included in
order to help guide users through any identity verification the server
may require.
* ECL no longer requires verification for all signatures, but only when
signature verification would alter the expected behavior of the list:
+ At least one matching signature included in a whitelist must be
validated, but other unvalidated signatures do not cause ECL to fail.
+ All matching signatures included in a whitestrict must be
validated, but unvalidated signatures not in the whitestrict do not cause
ECL to fail.
+ Signature verification is not checked for a blacklist; unvalidated
signatures can still block execution via ECL, and unvalidated signatures
not in the blacklist do not cause ECL to fail.
- New features / functionalities
* Non-root users can now use --apply-cgroups with run/shell/exec to
limit container resource usage on a system using cgroups v2 and the
systemd cgroups manager.
* Native cgroups v2 resource limits can be specified using the [unified]
key in a cgroups toml file applied via --apply-cgroups.
* Added --cpu*, --blkio*, --memory*, --pids-limit flags to apply cgroups
resource limits to a container directly. Added instance stats command.
* The --no-mount flag & APPTAINER_NO_MOUNT env var can now be used to
disable a bind path entry from apptainer.conf by specifying the
absolute path to the destination of the bind.
* Apptainer now supports the riscv64 architecture.
* remote add --insecure may now be used to configure endpoints that are
only accessible via http. Alternatively the environment variable
APPTAINER_ADD_INSECURE can be set to true to allow http remotes to be
added wihtout the --insecure flag. Specifying https in the remote URI
overrules both --insecure and APPTAINER_ADD_INSECURE.
* Gpu flags --nv and --rocm can now be used from an apptainer nested
inside another apptainer container.
* Added --public, --secret, and --both flags to the key remove command
to support removing secret keys from the apptainer keyring.
* Debug output can now be enabled by setting the APPTAINER_DEBUG env var.
* Debug output is now shown for nested apptainer calls, in wrapped
unsquashfs image extraction, and build stages.
- Bug fixes
* Remove warning message about SINGULARITY and APPTAINER variables
having different values when the SINGULARITY variable is not set.
* Add specific error for unreadable image / overlay file.
* Pass through a literal \n in host environment variables to the
container.
* Fix loop device creation with loop-control when running inside docker
containers.
* Fix the issue that the oras protocol would ignore the
--no-https/--nohttps flag.
- File changes
* Removed useful_error_message.patch as not needed any more
* Added fix-32bit-compilation.patch from upstream

- Update to version 1.0.3:
* Process redirects that can come from sregistry with a library:// URL.
* Fix inspect --deffile and inspect --all to correctly show definition
files in sandbox container images instead of empty output. This has a
side effect
of also fixing the storing of definition files in the metadata of sif
files built by Apptainer, because that metadata is constructed by
doing inspect
--all.

- Update to version 1.0.2:
+ Fixed `FATAL` error thrown by user configuration migration code that
caused users with inaccessible home directories to be unable to use
`apptainer` commands.
+ Do not truncate environment variables with commas.
+ Use HEAD request when checking digest of remote OCI image sources,
with GET as a fall-back. Greatly reduces Apptainer's impact on Docker
Hub API limits.

- Updated to v1.0.1 with following bug fixes
* Don't prompt for y/n to overwrite an existing file when build is
called from a non-interactive environment. Fail with an error.
* Preload NSS libraries prior to mountspace name creation to avoid
circumstances that can cause loading those libraries from the
container image instead of the host, for example in the startup
environment.
* Fix race condition where newly created loop devices can sometimes not
be opened.
* Support nvidia-container-cli v1.8.0 and above, via fix to capability
set.

- Updated to v1.0.0-rc1 changes to singularity 3.9.5 are
* The primary executable has been changed from singularity to apptainer.
However, a singularity command symlink alias has been created pointing
to the apptainer command. The contents of containers are unchanged and
continue to use the singularity name for startup scripts, etc.
* The per-user configuration directory has changed from ~/.singularity
to ~/.apptainer. The first time the apptainer command accesses the
user configuration directory, relevant configuration is automatically
imported from the old directory to the new one.
* Environment variables have all been changed to have an APPTAINER
prefix instead of a SINGULARITY prefix. However, SINGULARITY prefix
variables are still recognized. If only a SINGULARITY prefix variable
exists, a warning will be printed about deprecated usage and then the
value will be used. If both prefixes exist and the value is the same,
no warning is printed; this is the recommended method to set
environment variables for those who need to support both apptainer and
singularity. If both prefixes exist for the same variable and the
value is different then a warning is also printed.
* The default SylabsCloud remote endpoint has been removed and replaced
by
one called DefaultRemote which has no defined server for the
library:// URI. System administrators may restore the old default if
they wish by adding it to /etc/apptainer/remote.yaml with a URI of
cloud.sylabs.io and setting it there as the Active remote, or users
can add it to their own configuration with the commands apptainer
remote add SylabsCloud cloud.sylabs.io and apptainer remote use
SylabsCloud.
* The DefaultRemote's key server is   https://keys.openpgp.org instead of
the Sylabs key server
* The apptainer build --remote option has been removed because there is
no standard protocol or non-commercial service that supports it.
- New Features:
* Honor image binds and user binds in the order they're given instead of
always doing image binds first.
* Experimental support for checkpointing of instances using DMTCP has
been added. Additional flags --dmtcp-launch and --dmtcp-restart has
been added to the apptainer instance start command, and a checkpoint
command group has been added to manage the checkpoint state. A new
/etc/apptainer/dmtcp-conf.yaml configuration file is also added.
Limitations are that it can only work with dynamically linked
applications and the container has to be based on glibc.
* --writable-tmpfs can be used with apptainer build to run the %test
section
of the build with a ephemeral tmpfs overlay, permitting tests that
write to the container filesystem.
* The --compat flag for actions is a new short-hand to enable a number of
options that increase OCI/Docker compatibility. Infers --containall,
--no-init, --no-umask, --writable-tmpfs. Does not use user, uts, or
network namespaces as these may not be supported on many
installations.
* The experimental --nvccli flag will use nvidia-container-cli to setup
the container for Nvidia GPU operation. Apptainer will not bind GPU
libraries itself. Environment variables that are used with Nvidia's
docker-nvidia runtime to configure GPU visibility / driver
capabilities & requirements are parsed by the --nvccli flag from the
environment of the calling user. By default, the compute and utility
GPU capabilities are configured. The use nvidia-container-cli option
in apptainer.conf can be set to yes to always use nvidia-container-cli
when supported. --nvccli is not supported in the setuid workflow, and
it requires being used in combination with
--writable in user namespace mode. Please see documentation for more
details.
* The --apply-cgroups flag can be used to apply cgroups resource and
device restrictions on a system using the v2 unified cgroups
hierarchy. The resource restrictions must still be specified in the v1
/ OCI format, which will be translated into v2 cgroups resource
restrictions, and eBPF device restrictions.
* A new --mount flag and APPTAINER_MOUNT environment variable can be
used to specify bind mounts in
type=bind,source=,destination=[,options...] format. This
improves CLI compatibility with other runtimes, and allows binding
paths containing : and , characters (using CSV style escaping).
* Perform concurrent multi-part downloads for library:// URIs. Uses 3
concurrent downloads by default, and is configurable in apptainer.conf
or via environment variables.

- Explicit dependcy on go1.16.12 or go1.17.5 which fix (CVE-2021-44717)
and (CVE-2021-44716) that may affect singualrity

- inital commit of apptainer which is a singularity fork

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.4:

zypper in -t patch openSUSE-2023-18=1


Package List:

- openSUSE Leap 15.4 (aarch64 i586 s390x x86_64):

apptainer-1.1.2-lp154.2.1
apptainer-debuginfo-1.1.2-lp154.2.1

References:

  https://www.suse.com/security/cve/CVE-2021-44716.html
  https://www.suse.com/security/cve/CVE-2021-44717.html
  https://www.suse.com/security/cve/CVE-2022-39237.html