CVE-2020-25039

Name of the Vulnerable Software and Affected Versions Sylabs Singularity versions 3.2.0 through 3.6.2

Description The issue concerns insecure permissions on temporary directories used in fakeroot or user namespace container execution. When a Singularity action command is run with the fakeroot or user namespace option, Singularity extracts a container image to a temporary sandbox directory. Due to insecure permissions, any user with access to the system can read the contents of the image. If the image contains a world-writable file or directory, a user can inject arbitrary content into the running container.

Recommendations For Sylabs Singularity versions 3.2.0 through 3.6.2, upgrade to version 3.6.3 to address the issue. As a temporary workaround, consider setting TMPDIR to a location that is only accessible to the user, although this is not recommended as a reliable mitigation.