CVE-2020-13846

Name of the Vulnerable Software and Affected Versions Sylabs Singularity versions 3.5.0 through 3.5.3

Description The issue arises when the --all / -a option is used with singularity verify, as it returns a success message even if some objects in a SIF container are not signed or cannot be verified. These unverified objects are reported in WARNING log messages, but the command still returns an exit code of 0 and a Container Verified message. This can lead to workflows running SIF containers with unsigned or modified objects, potentially introducing malicious behavior.

Recommendations For Sylabs Singularity versions 3.5.0 through 3.5.3, upgrade to version 3.6.0 to resolve the issue. Note that version 3.6.0 uses a new signature format incompatible with earlier versions. If upgrading to 3.6.0 is not possible, do not rely on the return code of singularity verify --all / -a as an indicator of trust in a container. Additionally, be aware that other issues in the sign/verify implementation in Singularity versions prior to 3.6.0 may allow for introducing malicious behavior to a signed container.