We believe that it is important to apply this change to all EPEL releases,
for these reasons:
1. The general vulnerability described in this CVE applies equally to all
currently supported Linux distributions. The Singularity/Apptainer
community has long been aware that making setuid-root kernel
filesystem mounts available to all users has been a risk, because
https://lwn.net/Articles/652468/ briefly explained that kernel
developers considered that to be a great risk. System admins have
been willing to live with the risk because (a) nobody had identified
an attack, (b) the functionality was so useful, especially the
squashfs mounts, and (c) there wasn't an alternative. With the new
information from the ext4 kernel filesystem owner, we now have more
specifics on how the attack can be done including an example
vulnerability, the ext3 mounts aren't as widely used as squashfs,
and Apptainer has an alternative using unprivileged user namespaces.
2. RHEL8 & RHEL9 have unprivileged user namespaces enabled by default,
so the functionality will still be available to most of the users.
It does not automatically switch to the alternative, but there's a
clear error message saying that it is disabled by configuration and
suggesting that users add the --userns option (and of course if
apptainer-suid is not installed it uses the user namespace mode
automatically).
3. It is important to have consistency across platforms, since users and
administrators often use more than one and it would be confusing to
have different behavior on different platforms. Admins can also
install the rpm on RHEL8 & 9 directly from github, and it would not
be good to have different behavior when installed from EPEL.
Dave
On Thu, Apr 27, 2023 at 02:42:13AM -0500, Carl George wrote:
...
> EPEL 9:
>
> RHEL 9 has the fix for CVE-2022-1184. CVE-2023-30549 requires
> CVE-2022-1184 to be unpatched. Because of this I'm opposed to an
> incompatible update for apptainer in EPEL 9. Apptainer in EPEL 9
> should be modified to set the "allow setuid-mount extfs" option to yes
> for compatibility, even if that isn't the upstream default.
>
> EPEL 8:
>
> RHEL 8 has the fix for CVE-2022-1184. CVE-2023-30549 requires
> CVE-2022-1184 to be unpatched. Because of this I'm opposed to an
> incompatible update for apptainer in EPEL 8. Apptainer in EPEL 8
> should be modified to set the "allow setuid-mount extfs" option to yes
> for compatibility, even if that isn't the upstream default.
>
> EPEL 7:
>
> RHEL 7 appears to be vulnerable to CVE-2022-1184. CVE-2023-30549
> requires CVE-2022-1184 to be unpatched, so unlike EPEL 8 and EPEL 9 it
> actually impacts the EPEL 7 apptainer package. This CVE has not yet
> been rated by NVD. If the NVD assigns a rating of high (matching the
> CNA suggestion) or critical, I would be agreeable to an incompatible
> update of apptainer in EPEL 7. If the NVD assigns a rating of medium
> (matching CVE-2022-1184) or low, I would be opposed to an incompatible
> update of apptainer in EPEL 7.
>
>
https://nvd.nist.gov/vuln/detail/CVE-2023-30549