x/vulndb: potential Go vuln in github.com/apptainer/apptainer: GHSA-j4rf-7357-f4cg

[GoVulnBot]

In GitHub Security Advisory GHSA-j4rf-7357-f4cg, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/apptainer/apptainer	1.1.8	< 1.1.8

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/apptainer/apptainer
    versions:
      - fixed: 1.1.8
    packages:
      - package: github.com/apptainer/apptainer
summary: Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer
    and Singularity
description: "### Impact\nThere is an ext4 use-after-free flaw described in CVE-2022-1184
    that is exploitable through versions of Apptainer < 1.1.0, installations that
    include apptainer-suid < 1.1.8, and all versions of Singularity in their default
    configurations on older operating systems where that CVE has not been patched.
    \ That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10
    package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal.  Use-after-free
    flaws in the kernel can be used to attack the kernel for denial of service and
    potentially for privilege escalation.\n\n### Background\nHistorically there have
    been many CVEs published for extfs and a smaller number for squashfs, including
    serious use-after-free and buffer overrun vulnerabilities, that are scored as
    \"Moderate\" or \"Low\" impact only because unprivileged users were assumed to
    not have write access to the raw data.  Because of those ratings, vendors treat
    such CVEs as low urgency and either delay a patch until their next major release
    or never patch older but still supported operating systems at all.  Many Linux
    distributions automatically mount user-writable USB-drive volumes, but those are
    considered low risk because they require physical access to the machine.  However,
    since setuid-root installations of Apptainer and Singularity by default allow
    all users to mount any extfs (specifically, ext3, which is implemented by the
    ext4 driver) and squashfs filesystem using kernel drivers even though the users
    have write access to the raw data, the setuid-root installations raise the severity
    of such unpatched CVEs.  \n\nCVE-2022-1184 is currently such an unpatched CVE,
    at least on the above listed operating systems.  The descriptions from the operating
    system vendors about the CVE (referenced below) are incomplete, saying only that
    it allows a local attacker with user privilege to cause a denial of service.  Normally
    users would not be able to cause it because they cannot modify the filesystem
    image, and normally vulnerabilities that involve kernel memory corruption by unprivileged
    users are considered high severity even when there is not yet a known privilege
    escalation because someone with sufficient kernel knowledge can usually turn such
    a corruption into a privilege escalation. \n\nRed Hat did not list RHEL7 as vulnerable,
    but they also did not list it as unaffected, and testing confirmed that a filesystem
    image could be corrupted to get past the check inserted into the filesystem driver
    to fix the vulnerability (patches linked below).\n\nAll published squashfs CVEs
    have been patched in currently supported major operating systems.\n\n### Patches\nApptainer
    1.1.8 includes a patch that by default disables mounting of extfs filesystem types
    in setuid-root mode, while continuing to allow mounting of extfs filesystems in
    non-setuid \"rootless\" mode using fuse2fs.\n\n### Workarounds\nThese workarounds
    are possible:\n1. Either do not install apptainer-suid (for versions 1.1.0 through
    1.1.7) or set `allow setuid = no` in apptainer.conf (or singularity.conf for singularity
    versions).  This requires having unprivileged user namespaces enabled and except
    for apptainer 1.1.x versions will disallow mounting of sif files, extfs files,
    and squashfs files in addition to other, less significant impacts.  (Encrypted
    sif files are also not supported unprivileged in apptainer 1.1.x.)\n2. Alternatively,
    use the `limit containers` options in apptainer.conf/singularity.conf to limit
    sif files to trusted users, groups, and/or paths.  (The option `allow container
    extfs = no` disallows mounting extfs overlay files but does not disallow mounting
    of extfs overlay partitions inside SIF files, so it does not help work around
    the problem.)"
cves:
  - CVE-2023-30549
ghsas:
  - GHSA-j4rf-7357-f4cg
references:
  - advisory: https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
  - web: https://nvd.nist.gov/vuln/detail/CVE-2022-1184
  - fix: https://github.com/torvalds/linux/commit/61a1d87a324ad5e3ed27c6699dfc93218fcf3201
  - fix: https://github.com/torvalds/linux/commit/65f8ea4cd57dbd46ea13b41dc8bac03176b04233
  - web: https://access.redhat.com/security/cve/cve-2022-1184
  - web: https://security-tracker.debian.org/tracker/CVE-2022-1184
  - web: https://ubuntu.com/security/CVE-2022-1184
  - advisory: https://github.com/advisories/GHSA-j4rf-7357-f4cg

[zpavlinovic]

Vuln in binary. Also, fix is in the packages not imported by anyone.

[gopherbot]

Change https://go.dev/cl/488995 mentions this issue: data/excluded: batch add GO-2023-1738, GO-2023-1736, GO-2023-1743, GO-2023-1742, GO-2023-1741, GO-2023-1740, GO-2023-1739

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606785 mentions this issue: data/reports: unexclude 20 reports (5)