[Beowulf] Heads up - Stack-Clash local root vulnerability
kilian.cavalotti.work at gmail.com
Wed Jun 21 17:36:58 PDT 2017
On Wed, Jun 21, 2017 at 5:09 PM, Christopher Samuel
<samuel at unimelb.edu.au> wrote:
> So yes, you are quite right, this (currently) doesn't seem like
> something you need to worry about with users own codes being copied onto
> the system or containers utilised through Shifter and Singularity which
> exist to disarm Docker containers.
> Phew, thanks so much for pointing that out! :-)
Well well well, I don't want to rain on the parade, and that's
entirely true for the most part but two key things to keep in mind:
1. Things like libffi  have also been patched to address this
vulnerability, so it looks like this may be a little more complex than
just updating or preventing access to SUID root binaries.
2. Singularity heavily relies on SUID root binaries to manipulate
images . That's actually the one user-facing application that I'm
the most worried about right now.
More information about the Beowulf