Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package singularity-container 2.2 release contained a vulnerability described in detail upstream https://github.com/singularityware/singularity/releases/tag/2.2.1 : In versions of Singularity previous to 2.2.1, it was possible for a malicious user to create and manipulate specifically crafted raw devices within containers they own. Utilizing MS_NODEV as a container image mount option mitigates this potential vector of attack. As a result, this update should be implemented with high urgency. A big thanks to Mattias Wadenstein (@UMU in Sweden) for identifying and reporting this issue! 2.2-2 (debdiff attached) was prepared in collaboration with upstream to cover that vulnerability and address few other possibly security related (snprintf) and functionality related issues. security@d.o was provided with debdiff and no negative opinions were expressed. unblock singularity-container/2.2-2 -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (900, 'testing'), (600, 'unstable'), (300, 'experimental'), (100, 'unstable-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru singularity-container-2.2/debian/changelog singularity-container-2.2/debian/changelog --- singularity-container-2.2/debian/changelog 2016-11-30 12:33:01.000000000 -0500 +++ singularity-container-2.2/debian/changelog 2017-02-09 16:27:55.000000000 -0500 @@ -1,3 +1,24 @@ +singularity-container (2.2-2) unstable; urgency=high + + * debian/patches - picks up from upcoming 2.2.1 release + critical functionality and possibly security-related fixes + - changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff + to support mounting ext4 formatted images read-only + - changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff + to utilize mount option MS_NODEV for images + (fixes potential security implications) + - changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff + to fix bootstrapping ran as root (thus no MS_NODEV restriction + from above patch should be applied) + - changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff + exit with error if snprintf would have went out of bounds + - changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff + changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff + changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff + Various obvious fixes (updated URLs, apt --force-yes) + + -- Yaroslav Halchenko <deb...@onerussian.com> Thu, 09 Feb 2017 16:27:55 -0500 + singularity-container (2.2-1) unstable; urgency=medium [ Mehdi Dogguy ] diff -Nru singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff --- singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,21 @@ +From: Gregory M. Kurtzer <gmkurt...@lbl.gov> +Subject: Use --force-yes + +--- a/examples/debian.def ++++ b/examples/debian.def +@@ -16,5 +16,5 @@ MirrorURL: http://ftp.us.debian.org/debi + %post + echo "Hello from inside the container" + apt-get update +- apt-get -y install vim ++ apt-get -y --force-yes install vim + +--- a/examples/ubuntu.def ++++ b/examples/ubuntu.def +@@ -16,5 +16,5 @@ MirrorURL: http://us.archive.ubuntu.com/ + %post + echo "Hello from inside the container" + sed -i 's/$/ universe/' /etc/apt/sources.list +- apt-get -y install vim ++ apt-get -y --force-yes install vim + diff -Nru singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff --- singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,14 @@ +From: Nekel-Seyew <kylemdswee...@gmail.com> +Subject: added an ERRNO==ENOENT clause + +--- a/src/lib/file/group/group.c ++++ b/src/lib/file/group/group.c +@@ -139,7 +139,7 @@ int singularity_file_group(void) { + singularity_message(VERBOSE3, "Found supplementary group membership in: %d\n", gids[i]); + singularity_message(VERBOSE2, "Adding user's supplementary group ('%s') info to template group file\n", grent->gr_name); + fprintf(file_fp, "%s:x:%u:%s\n", gr->gr_name, gr->gr_gid, pwent->pw_name); +- } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) || (errno == EPERM) ) { ++ } else if ( (errno == 0) || (errno == ESRCH) || (errno == EBADF) || (errno == EPERM) || (errno == ENOENT)) { + singularity_message(VERBOSE3, "Skipping GID %d as group entry does not exist.\n", gids[i]); + } else { + singularity_message(ERROR, "Failed to lookup GID %d group entry: %s\n", gids[i], strerror(errno)); diff -Nru singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff --- singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,120 @@ +From: Brian Bockelman <bbock...@cse.unl.edu> +Subject: Fix remaining usage of snprintf. + +--- a/src/lib/message.c ++++ b/src/lib/message.c +@@ -109,23 +109,23 @@ void _singularity_message(int level, con + } + + if ( level <= messagelevel ) { +- char *header_string; ++ char header_string[95]; + + if ( messagelevel >= DEBUG ) { +- char *debug_string = (char *) malloc(25); +- char *location_string = (char *) malloc(60); +- char *tmp_header_string = (char *) malloc(80); +- header_string = (char *) malloc(80); ++ char debug_string[25]; ++ char location_string[60]; ++ char tmp_header_string[86]; + snprintf(location_string, 60, "%s:%d:%s()", file, line, function); // Flawfinder: ignore ++ location_string[59] = '\0'; + snprintf(debug_string, 25, "[U=%d,P=%d]", geteuid(), getpid()); // Flawfinder: ignore +- snprintf(tmp_header_string, 80, "%-18s %s", debug_string, location_string); // Flawfinder: ignore +- snprintf(header_string, 80, "%-7s %-62s: ", prefix, tmp_header_string); // Flawfinder: ignore +- free(debug_string); +- free(location_string); +- free(tmp_header_string); ++ debug_string[24] = '\0'; ++ snprintf(tmp_header_string, 86, "%-18s %s", debug_string, location_string); // Flawfinder: ignore ++ tmp_header_string[85] = '\0'; ++ snprintf(header_string, 95, "%-7s %-62s: ", prefix, tmp_header_string); // Flawfinder: ignore ++ header_string[94] = '\0'; + } else { +- header_string = (char *) malloc(11); + snprintf(header_string, 10, "%-7s: ", prefix); // Flawfinder: ignore ++ header_string[9] = '\0'; + } + + if ( level == INFO && messagelevel == INFO ) { +@@ -138,7 +138,6 @@ void _singularity_message(int level, con + fprintf(stderr, "%s", strjoin(header_string, message)); + } + +- + fflush(stdout); + fflush(stderr); + +--- a/src/lib/rootfs/rootfs.c ++++ b/src/lib/rootfs/rootfs.c +@@ -184,7 +184,10 @@ int singularity_rootfs_mount(void) { + } else if ( envar_defined("SINGULARITY_WRITABLE") == TRUE ) { + singularity_message(VERBOSE3, "Not enabling overlayFS, image mounted writablable\n"); + } else { +- snprintf(overlay_options, overlay_options_len, "lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, overlay_work); // Flawfinder: ignore ++ if (snprintf(overlay_options, overlay_options_len, "lowerdir=%s,upperdir=%s,workdir=%s", rootfs_source, overlay_upper, overlay_work) >= overlay_options_len) { ++ singularity_message(ERROR, "Overly-long path names for OverlayFS configuration.\n"); ++ ABORT(255); ++ } + + singularity_priv_escalate(); + singularity_message(DEBUG, "Mounting overlay tmpfs: %s\n", overlay_mount); +--- a/src/lib/sessiondir.c ++++ b/src/lib/sessiondir.c +@@ -55,7 +55,7 @@ char *singularity_sessiondir_init(char * + struct stat filestat; + uid_t uid = singularity_priv_getuid(); + +- sessiondir = (char *) malloc(sizeof(char) * PATH_MAX); ++ sessiondir = (char *) malloc(PATH_MAX); + + singularity_message(DEBUG, "Checking Singularity configuration for 'sessiondir prefix'\n"); + +@@ -66,9 +66,15 @@ char *singularity_sessiondir_init(char * + + singularity_config_rewind(); + if ( ( sessiondir_prefix = envar_path("SINGULARITY_SESSIONDIR") ) != NULL ) { +- snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore ++ if (snprintf(sessiondir, PATH_MAX, "%s/singularity-session-%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore ++ singularity_message(ERROR, "Overly-long session directory specified.\n"); ++ ABORT(255); ++ } + } else if ( ( sessiondir_prefix = singularity_config_get_value("sessiondir prefix") ) != NULL ) { +- snprintf(sessiondir, sizeof(char) * PATH_MAX, "%s%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore ++ if (snprintf(sessiondir, PATH_MAX, "%s%d.%d.%lu", sessiondir_prefix, (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino) >= PATH_MAX) { // Flawfinder: ignore ++ singularity_message(ERROR, "Overly-long session directory specified.\n"); ++ ABORT(255); ++ } + } else { + snprintf(sessiondir, sizeof(char) * PATH_MAX, "/tmp/.singularity-session-%d.%d.%lu", (int)uid, (int)filestat.st_dev, (long unsigned)filestat.st_ino); // Flawfinder: ignore + } +--- a/src/util/util.c ++++ b/src/util/util.c +@@ -136,8 +136,12 @@ char *joinpath(const char * path1, const + path2++; + } + +- ret = (char *) malloc(strlength(tmp_path1, PATH_MAX) + strlength(path2, PATH_MAX) + 2); +- snprintf(ret, strlength(tmp_path1, PATH_MAX) + strlen(path2) + 2, "%s/%s", tmp_path1, path2); // Flawfinder: ignore ++ size_t ret_pathlen = strlength(tmp_path1, PATH_MAX) + strlength(path2, PATH_MAX) + 2; ++ ret = (char *) malloc(ret_pathlen); ++ if (snprintf(ret, ret_pathlen, "%s/%s", tmp_path1, path2) >= ret_pathlen) { // Flawfinder: ignore ++ singularity_message(ERROR, "Overly-long path name.\n"); ++ ABORT(255); ++ } + + return(ret); + } +@@ -147,7 +151,10 @@ char *strjoin(char *str1, char *str2) { + int len = strlength(str1, 2048) + strlength(str2, 2048) + 1; + + ret = (char *) malloc(len); +- snprintf(ret, len, "%s%s", str1, str2); // Flawfinder: ignore ++ if (snprintf(ret, len, "%s%s", str1, str2) >= len) { // Flawfinder: ignore ++ singularity_message(ERROR, "Overly-long string encountered.\n"); ++ ABORT(255); ++ } + + return(ret); + } diff -Nru singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff --- singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,14 @@ +From: Gregory M. Kurtzer <gmkurt...@lbl.gov> +Subject: Fix busybox path + +--- a/examples/busybox.def ++++ b/examples/busybox.def +@@ -5,7 +5,7 @@ + # required approvals from the U.S. Dept. of Energy). All rights reserved. + + BootStrap: busybox +-MirrorURL: https://www.busybox.net/downloads/binaries/busybox-x86_64 ++MirrorURL: https://www.busybox.net/downloads/binaries/1.26.2-defconfig-multiarch/busybox-x86_64 + + + %post diff -Nru singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff --- singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,31 @@ +From: Gregory M. Kurtzer <gmkurt...@lbl.gov> +Subject: Minor fixup to fail over to try ext4 file system + Sorry, I didn't realize anyone was still using those images! + +--- a/src/lib/rootfs/image/image.c ++++ b/src/lib/rootfs/image/image.c +@@ -127,16 +127,20 @@ int rootfs_image_mount(void) { + singularity_message(VERBOSE, "Mounting image in read/write\n"); + singularity_priv_escalate(); + if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, "errors=remount-ro") < 0 ) { +- singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno)); +- ABORT(255); ++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, "errors=remount-ro") < 0 ) { ++ singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno)); ++ ABORT(255); ++ } + } + singularity_priv_drop(); + } else { + singularity_priv_escalate(); + singularity_message(VERBOSE, "Mounting image in read/only\n"); + if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) { +- singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno)); +- ABORT(255); ++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) { ++ singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno)); ++ ABORT(255); ++ } + } + singularity_priv_drop(); + } diff -Nru singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff --- singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,76 @@ +From: Gregory M. Kurtzer <gmkurt...@lbl.gov> +Subject: Conditionally disable MS_NODEV when running as root + +--- a/src/lib/rootfs/dir/dir.c ++++ b/src/lib/rootfs/dir/dir.c +@@ -65,6 +65,7 @@ int rootfs_dir_init(char *source, char * + + + int rootfs_dir_mount(void) { ++ int opts = MS_BIND|MS_NOSUID|MS_REC; + + if ( ( mount_point == NULL ) || ( source_dir == NULL ) ) { + singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n"); +@@ -76,9 +77,13 @@ int rootfs_dir_mount(void) { + ABORT(255); + } + ++ if ( getuid() != 0 ) { ++ opts |= MS_NODEV; ++ } ++ + singularity_priv_escalate(); + singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point); +- if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) { ++ if ( mount(source_dir, mount_point, NULL, opts, NULL) < 0 ) { + singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno)); + return 1; + } +@@ -88,7 +93,7 @@ int rootfs_dir_mount(void) { + if ( singularity_ns_user_enabled() <= 0 ) { + singularity_priv_escalate(); + singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point); +- if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) { ++ if ( mount(NULL, mount_point, NULL, opts|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) { + singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno)); + ABORT(255); + } +--- a/src/lib/rootfs/image/image.c ++++ b/src/lib/rootfs/image/image.c +@@ -100,6 +100,7 @@ int rootfs_image_init(char *source, char + + + int rootfs_image_mount(void) { ++ int opts = MS_NOSUID; + + if ( mount_point == NULL ) { + singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n"); +@@ -122,12 +123,15 @@ int rootfs_image_mount(void) { + ABORT(255); + } + ++ if ( getuid() != 0 ) { ++ opts |= MS_NODEV; ++ } + + if ( read_write > 0 ) { + singularity_message(VERBOSE, "Mounting image in read/write\n"); + singularity_priv_escalate(); +- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) { +- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext3", opts, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext4", opts, "errors=remount-ro") < 0 ) { + singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno)); + ABORT(255); + } +@@ -136,8 +140,8 @@ int rootfs_image_mount(void) { + } else { + singularity_priv_escalate(); + singularity_message(VERBOSE, "Mounting image in read/only\n"); +- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) { +- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext3", opts|MS_RDONLY, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext4", opts|MS_RDONLY, "errors=remount-ro") < 0 ) { + singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno)); + ABORT(255); + } diff -Nru singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff --- singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff 1969-12-31 19:00:00.000000000 -0500 +++ singularity-container-2.2/debian/patches/changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff 2017-02-09 16:27:55.000000000 -0500 @@ -0,0 +1,67 @@ +commit f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d +Author: Gregory M. Kurtzer <gmkurt...@lbl.gov> +Date: Thu Feb 2 22:37:50 2017 +0000 + + Utilize mount option MS_NODEV for images + +diff --git a/src/lib/rootfs/dir/dir.c b/src/lib/rootfs/dir/dir.c +index c6ba1a8c..75fa6468 100644 +--- a/src/lib/rootfs/dir/dir.c ++++ b/src/lib/rootfs/dir/dir.c +@@ -78,7 +78,7 @@ int rootfs_dir_mount(void) { + + singularity_priv_escalate(); + singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point); +- if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) { ++ if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) { + singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno)); + return 1; + } +@@ -88,7 +88,7 @@ int rootfs_dir_mount(void) { + if ( singularity_ns_user_enabled() <= 0 ) { + singularity_priv_escalate(); + singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point); +- if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) { ++ if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) { + singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno)); + ABORT(255); + } +diff --git a/src/lib/rootfs/image/image.c b/src/lib/rootfs/image/image.c +index 0db44999..8f3261fd 100644 +--- a/src/lib/rootfs/image/image.c ++++ b/src/lib/rootfs/image/image.c +@@ -126,8 +126,8 @@ int rootfs_image_mount(void) { + if ( read_write > 0 ) { + singularity_message(VERBOSE, "Mounting image in read/write\n"); + singularity_priv_escalate(); +- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, "errors=remount-ro") < 0 ) { +- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) { + singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno)); + ABORT(255); + } +@@ -136,8 +136,8 @@ int rootfs_image_mount(void) { + } else { + singularity_priv_escalate(); + singularity_message(VERBOSE, "Mounting image in read/only\n"); +- if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) { +- if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) { + singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno)); + ABORT(255); + } +diff --git a/src/lib/rootfs/squashfs/squashfs.c b/src/lib/rootfs/squashfs/squashfs.c +index df71f4c2..82f2dfc5 100644 +--- a/src/lib/rootfs/squashfs/squashfs.c ++++ b/src/lib/rootfs/squashfs/squashfs.c +@@ -104,7 +104,7 @@ int rootfs_squashfs_mount(void) { + + singularity_priv_escalate(); + singularity_message(VERBOSE, "Mounting squashfs image\n"); +- if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) { ++ if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) { + singularity_message(ERROR, "Failed to mount squashfs image in (read only): %s\n", strerror(errno)); + ABORT(255); + } diff -Nru singularity-container-2.2/debian/patches/series singularity-container-2.2/debian/patches/series --- singularity-container-2.2/debian/patches/series 2016-11-30 12:33:01.000000000 -0500 +++ singularity-container-2.2/debian/patches/series 2017-02-09 16:27:55.000000000 -0500 @@ -2,3 +2,10 @@ 0001-BF-do-not-make-python-modules-not-intended-to-be-exe.patch 0002-ENH-removed-python-shebangs-from-non-script-python-m.patch 0001-BF-bash_completion.d-script-has-bashisms-so-use-bash.patch +changeset_b859cd8b4b9293f2a8a893ef41c5d93a5318dd6c.diff +changeset_f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d.diff +changeset_d835fa1d20efc4aaacca4be68431d193d6625bd8.diff +changeset_3a2b6537f0b1386336e29d7f763ae62374a7cb77.diff +changeset_acc02b921192e7e16afe1513d5338904f8e6f907.diff +changeset_0935d68145ce575444b7ced43417cc6fccffd670.diff +changeset_0d04edaeb5cb3607ab25588f4db177c0878adcc0.diff