[Beowulf] Heads up - Stack-Clash local root vulnerability
Kilian Cavalotti
kilian.cavalotti.work at gmail.com
Wed Jun 21 17:36:58 PDT 2017
On Wed, Jun 21, 2017 at 5:09 PM, Christopher Samuel
<samuel at unimelb.edu.au> wrote:
> So yes, you are quite right, this (currently) doesn't seem like
> something you need to worry about with users own codes being copied onto
> the system or containers utilised through Shifter and Singularity which
> exist to disarm Docker containers.
>
> Phew, thanks so much for pointing that out! :-)
Well well well, I don't want to rain on the parade, and that's
entirely true for the most part but two key things to keep in mind:
1. Things like libffi [1] have also been patched to address this
vulnerability, so it looks like this may be a little more complex than
just updating or preventing access to SUID root binaries.
2. Singularity heavily relies on SUID root binaries to manipulate
images [2]. That's actually the one user-facing application that I'm
the most worried about right now.
[1]: https://lists.debian.org/debian-security-announce/2017/msg00149.html
[2]: http://singularity.lbl.gov/faq#are-there-any-special-security-concerns-that-singularity-introduces
Cheers,
--
Kilian
More information about the Beowulf
mailing list