[gentoo-announce] [ GLSA 202210-19 ] Apptainer: Lack of Digital Signature Hash Verification - gentoo-announce

From:	glsamaker@g.o
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202210-19 ] Apptainer: Lack of Digital Signature Hash Verification
Date:	Mon, 31 Oct 2022 01:56:10
Message-Id:	`166717882675.9.17906974345042518113@90bb6a0775af`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202210-19

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Low

8

    Title: Apptainer: Lack of Digital Signature Hash Verification

9

     Date: October 31, 2022

10

     Bugs: #875869

11

       ID: 202210-19

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability has been found in Apptainer which could result in the

19

usage of an unexpected of a container.

20

21

Background

22

==========

23

24

Apptainer is the container system for secure high-performance computing.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  app-containers/apptainer   < 1.1.2                      >= 1.1.2

33

34

Description

35

===========

36

37

The Go module "sif" version 2.8.0 and older, which is a statically

38

linked dependency of Apptainer, does not verify that the hash

39

algorithm(s) used are cryptographically secure when verifying digital

40

signatures.

41

42

Impact

43

======

44

45

An image whose verification relies on a cryptographically insecure hash

46

algorithm could be replaced, resulting in users using an image other

47

than the one that was expected.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All Apptainer users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=app-containers/apptainer-1.1.2"

61

62

References

63

==========

64

65

[ 1 ] CVE-2022-39237

66

      https://nvd.nist.gov/vuln/detail/CVE-2022-39237

67

68

Availability

69

============

70

71

This GLSA and any updates to it are available for viewing at

72

the Gentoo Security Website:

73

74

 https://security.gentoo.org/glsa/202210-19

75

76

Concerns?

77

=========

78

79

Security is a primary focus of Gentoo Linux and ensuring the

80

confidentiality and security of our users' machines is of utmost

81

importance to us. Any security concerns should be addressed to

82

security@g.o or alternatively, you may file a bug at

83

https://bugs.gentoo.org.

84

85

License

86

=======

87

88

Copyright 2022 Gentoo Foundation, Inc; referenced text

89

belongs to its owner(s).

90

91

The contents of this document are licensed under the

92

Creative Commons - Attribution / Share Alike license.

93

94

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202210-19
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Low
8	Title: Apptainer: Lack of Digital Signature Hash Verification
9	Date: October 31, 2022
10	Bugs: #875869
11	ID: 202210-19
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability has been found in Apptainer which could result in the
19	usage of an unexpected of a container.
20
21	Background
22	==========
23
24	Apptainer is the container system for secure high-performance computing.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 app-containers/apptainer < 1.1.2 >= 1.1.2
33
34	Description
35	===========
36
37	The Go module "sif" version 2.8.0 and older, which is a statically
38	linked dependency of Apptainer, does not verify that the hash
39	algorithm(s) used are cryptographically secure when verifying digital
40	signatures.
41
42	Impact
43	======
44
45	An image whose verification relies on a cryptographically insecure hash
46	algorithm could be replaced, resulting in users using an image other
47	than the one that was expected.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All Apptainer users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=app-containers/apptainer-1.1.2"
61
62	References
63	==========
64
65	[ 1 ] CVE-2022-39237
66	https://nvd.nist.gov/vuln/detail/CVE-2022-39237
67
68	Availability
69	============
70
71	This GLSA and any updates to it are available for viewing at
72	the Gentoo Security Website:
73
74	https://security.gentoo.org/glsa/202210-19
75
76	Concerns?
77	=========
78
79	Security is a primary focus of Gentoo Linux and ensuring the
80	confidentiality and security of our users' machines is of utmost
81	importance to us. Any security concerns should be addressed to
82	security@g.o or alternatively, you may file a bug at
83	https://bugs.gentoo.org.
84
85	License
86	=======
87
88	Copyright 2022 Gentoo Foundation, Inc; referenced text
89	belongs to its owner(s).
90
91	The contents of this document are licensed under the
92	Creative Commons - Attribution / Share Alike license.
93
94	https://creativecommons.org/licenses/by-sa/2.5