EGI SVG Advisories


Title:   EGI SVG 'ADVISORY' [TLP:WHITE] Singularity - file overwrite
         vulnerability [EGI-SVG-CVE-2020-15229]

Date:    2020-10-20

Affected software and risk

Package : Singularity
CVE ID  : CVE-2020-15229

A path traversal and file overwrite vulnerability with "unsquashfs" has been
announced, see [R 1].
This may allow files to be overwritten in various scenarios, but it is not
clear how likely it is for the vulnerability to be exploitable in our

Actions required/recommended

Sites and users with their own Singularity installations are advised to update
Singularity as soon as it is convenient.

If anyone becomes aware of any situation where this vulnerability may have a
significant impact on the EGI infrastructure, then please inform EGI SVG.

Component installation information

See [R 1]


No mitigating action has been identified, sites and users are advised to update
in due course.

Affected software details

Singularity versions 3.1.1 - 3.6.3 are affected

This issue is fixed in version 3.6.4

More information

Sites are reminded that they are recommended to enable unprivileged user
namespaces on their worker nodes [R 2]

If it is found that this vulnerability looks exploitable in the EGI
environment, then the EGI SVG will re-examine the issue and assess the risk. It
is possible then that sites may be asked to update urgently.

Users who build their own containers should be careful what they include
especially what they include from the web and avoid doing things as 'root' as
much as possible.


** WHITE information - Unlimited distribution
 - see for distribution restrictions **


Minor updates may be made without re-distribution to the sites


Comments or questions should be sent to svg-rat  at

If you find or become aware of another vulnerability which is relevant to EGI
you may report it by e-mail to

report-vulnerability at

the EGI Software Vulnerability Group will take a look according to the
procedure defined in [R 3]

Note that this is undergoing revision to fully handle vulnerabilities in the
EOSC-hub era.


[R 1]

[R 2]

[R 3]


SVG was alerted to this vulnerability by Dave Dykstra


Yyyy-mm-dd  [EGI-SVG-2020-CVE-2020-15229]

2020-10-13 SVG alerted to this issue by Dave Dykstra - after issue fixed by the
2020-10-13 Acknowledgement from the EGI SVG to the reporter
2020-10--- Discussion of issue and on what action to take
2020-10-20 Advisory sent to sites and additionally VO Security Contacts


This advisory has been prepared as part of the effort to fulfil EGI SVG's
purpose "To minimize the risk to the EGI infrastructure arising from software

The risk is that assessed by the group, according to the EGI SVG issue handling
procedure [R 3]  in the context of how the software is used in the EGI
infrastructure. It is the opinion of the group, we do not guarantee it to be
correct. The risk may also be higher or lower in other deployments depending on
how the software is used.

This advisory is subject to the Creative commons license and the EGI
Software Vulnerability Group must be credited.

Note that the SVG issue handling procedure is currently under review, to take
account of the increasing inhomogeneity of the EGI infrastructure and the
services in the EOSC-hub catalogue.

On behalf of the EGI SVG,