Merge pull request #1019 from dtrudg/sif-ghsa-310

deps: bump sif to v2.8.1 and prepare CE 3.10.3 release
sylabs · Oct 6, 2022 · 6373436 · 6373436
2 parents 8b67c65 + 5fadcee
commit 6373436
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,14 @@
 # SingularityCE Changelog
 
-## Changes Since Last Release
+## 3.10.3 \[2022-10-06\]
+
+### Security Related Fixes
+
+- [CVE-2022-39237](https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8):
+  The github.com/sylabs/sif/v2 dependency included in SingularityCE <=3.10.3
+  does not verify that the hash algorithm(s) used are cryptographically secure
+  when verifying digital signatures. This release updates to sif v2.8.1 which
+  corrects this issue. See the linked advisory for references and a workaround.
 
 ### Bug Fixes
 

diff --git a/INSTALL.md b/INSTALL.md
@@ -114,11 +114,11 @@ cd singularity
 By default your clone will be on the `main` branch which is where development
 of SingularityCE happens. To build a specific version of SingularityCE, check
 out a [release tag](https://github.com/sylabs/singularity/tags) before
-compiling. E.g. to build the 3.10.2 release checkout the
-`v3.10.2` tag:
+compiling. E.g. to build the 3.10.3 release checkout the
+`v3.10.3` tag:
 
 ```sh
-git checkout --recurse-submodules v3.10.2
+git checkout --recurse-submodules v3.10.3
 ```
 
 ## Compiling SingularityCE
@@ -169,7 +169,7 @@ build and install the RPM like this:
 <!-- markdownlint-disable MD013 -->
 
 ```sh
-export VERSION=3.10.2  # this is the singularity version, change as you need
+export VERSION=3.10.3  # this is the singularity version, change as you need
 
 # Fetch the source
 wget https://github.com/sylabs/singularity/releases/download/v${VERSION}/singularity-ce-${VERSION}.tar.gz

diff --git a/go.mod b/go.mod
@@ -39,7 +39,7 @@ require (
 	github.com/sylabs/scs-build-client v0.7.5
 	github.com/sylabs/scs-key-client v0.7.2
 	github.com/sylabs/scs-library-client v1.3.3
-	github.com/sylabs/sif/v2 v2.8.0
+	github.com/sylabs/sif/v2 v2.8.1
 	github.com/vbauerster/mpb/v8 v8.1.2
 	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467

diff --git a/go.sum b/go.sum
@@ -906,8 +906,8 @@ github.com/sylabs/scs-key-client v0.7.2 h1:q1ia4gSVD7z3u706N7aIwtk70SayfeAeL8Uo3
 github.com/sylabs/scs-key-client v0.7.2/go.mod h1:cmD4C9QfNLXW4QSXvwoaPZAuwaToIsHuD0AUHNdjDlA=
 github.com/sylabs/scs-library-client v1.3.3 h1:cpzSfewIUBWyzHfPzlxLYrTeqG1Gp+NLAbroVTQAVec=
 github.com/sylabs/scs-library-client v1.3.3/go.mod h1:PBd6LqmOhliHhTfzp3mVrJv3QVQFre8bMr6j2tDnu/c=
-github.com/sylabs/sif/v2 v2.8.0 h1:FIfWA1fYSFynKD1LJwGbWJ2ib8ylT8XwZl9naLlciPE=
-github.com/sylabs/sif/v2 v2.8.0/go.mod h1:LQOdYXC9a8i7BleTKRw9lohi0rTbXkJOeS9u0ebvgyM=
+github.com/sylabs/sif/v2 v2.8.1 h1:whr4Vz12RXfLnYyVGHoD/rD/hbF2g9OW7BJHa+WIqW8=
+github.com/sylabs/sif/v2 v2.8.1/go.mod h1:LQOdYXC9a8i7BleTKRw9lohi0rTbXkJOeS9u0ebvgyM=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=