[Beowulf] Heads up - Stack-Clash local root vulnerability

Kilian Cavalotti kilian.cavalotti.work at gmail.com
Wed Jun 21 17:36:58 PDT 2017


On Wed, Jun 21, 2017 at 5:09 PM, Christopher Samuel
<samuel at unimelb.edu.au> wrote:
> So yes, you are quite right, this (currently) doesn't seem like
> something you need to worry about with users own codes being copied onto
> the system or containers utilised through Shifter and Singularity which
> exist to disarm Docker containers.
>
> Phew, thanks so much for pointing that out! :-)

Well well well, I don't want to rain on the parade, and that's
entirely true for the most part but two key things to keep in mind:

1. Things like libffi [1] have also been patched to address this
vulnerability, so it looks like this may be a little more complex than
just updating or preventing access to SUID root binaries.

2. Singularity heavily relies on SUID root binaries to manipulate
images [2]. That's actually the one user-facing application that I'm
the most worried about right now.

[1]: https://lists.debian.org/debian-security-announce/2017/msg00149.html
[2]: http://singularity.lbl.gov/faq#are-there-any-special-security-concerns-that-singularity-introduces

Cheers,
-- 
Kilian


More information about the Beowulf mailing list