VYPR
Get started
← All advisories
Medium severity4.5OSV Advisory· Published Dec 2, 2025· Updated Apr 15, 2026

CVE-2025-64750

CVE-2025-64750

Description

SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the user to run a malicious container image that redirects the mount of /proc to the destination of a shared mount, either known to be configured on the target system, or that will be specified by the user when running the container. The attacker must also control the content of the shared mount, for example through another malicious container which also binds it, or as a user with relevant permissions on the host system it is bound from. This vulnerability is fixed in SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/sylabs/singularity/v4Go
>= 4.2.0-rc.1, < 4.3.54.3.5
github.com/sylabs/singularity/v4Go
< 4.1.114.1.11

Affected products

1

Patches

2
27882963879a

fix: fail if --security options can't be applied

https://github.com/sylabs/singularityDavid TrudgianNov 13, 2025via ghsa
commit
2 files changed · +27 25
  • internal/pkg/security/security.go+4 4 modified
    @@ -1,4 +1,4 @@
-// Copyright (c) 2018-2020, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -28,15 +28,15 @@ func Configure(config *specs.Spec) error {
 					return err
 				}
 			} else {
-				sylog.Warningf("selinux is not enabled or supported on this system")
+				return fmt.Errorf("selinux requested, but is not enabled or supported on this system")
 			}
 		} else if config.Process.ApparmorProfile != "" {
 			if apparmor.Enabled() {
 				if err := apparmor.LoadProfile(config.Process.ApparmorProfile); err != nil {
 					return err
 				}
 			} else {
-				sylog.Warningf("apparmor is not enabled or supported on this system")
+				return fmt.Errorf("apparmor requested, but is not enabled or supported on this system")
 			}
 		}
 	}
@@ -46,7 +46,7 @@ func Configure(config *specs.Spec) error {
 				return err
 			}
 		} else {
-			sylog.Warningf("seccomp requested but not enabled, seccomp library is missing or too old")
+			return fmt.Errorf("seccomp requested but not enabled, seccomp library is missing or too old")
 		}
 	}
 	return nil
  • internal/pkg/security/security_test.go+23 21 modified
    @@ -1,20 +1,18 @@
-// Copyright (c) 2019, Sylabs Inc. All rights reserved.
+// Copyright (c) 2019-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
 
 package security
 
 import (
-	"os"
 	"runtime"
 	"testing"
 
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sylabs/singularity/v4/internal/pkg/security/apparmor"
 	"github.com/sylabs/singularity/v4/internal/pkg/security/selinux"
 	"github.com/sylabs/singularity/v4/internal/pkg/test"
-	"github.com/sylabs/singularity/v4/internal/pkg/util/mainthread"
 )
 
 func TestGetParam(t *testing.T) {
@@ -89,6 +87,16 @@ func TestConfigure(t *testing.T) {
 			},
 			disabled: !selinux.Enabled(),
 		},
+		{
+			desc: "SELinux when not available",
+			spec: specs.Spec{
+				Process: &specs.Process{
+					SelinuxLabel: "unconfined_u:unconfined_r:unconfined_t:s0",
+				},
+			},
+			expectFailure: true,
+			disabled:      selinux.Enabled(),
+		},
 		{
 			desc: "with bad apparmor profile",
 			spec: specs.Spec{
@@ -108,6 +116,15 @@ func TestConfigure(t *testing.T) {
 			},
 			disabled: !apparmor.Enabled(),
 		},
+		{
+			desc: "apparmor when not available",
+			spec: specs.Spec{
+				Process: &specs.Process{
+					ApparmorProfile: "unconfined",
+				},
+			},
+			disabled: apparmor.Enabled(),
+		},
 	}
 
 	for _, s := range specs {
@@ -118,9 +135,9 @@ func TestConfigure(t *testing.T) {
 
 			var err error
 
-			mainthread.Execute(func() {
-				err = Configure(&s.spec)
-			})
+			runtime.LockOSThread()
+			defer runtime.UnlockOSThread()
+			err = Configure(&s.spec)
 
 			if err != nil && !s.expectFailure {
 				t.Errorf("unexpected failure %s: %s", s.desc, err)
@@ -130,18 +147,3 @@ func TestConfigure(t *testing.T) {
 		})
 	}
 }
-
-func init() {
-	runtime.LockOSThread()
-}
-
-func TestMain(m *testing.M) {
-	go func() {
-		os.Exit(m.Run())
-	}()
-
-	// run functions requiring execution in main thread
-	for f := range mainthread.FuncChannel {
-		f()
-	}
-}
5af3e790c405

fix: use pathrs-lite/procfs when writing apparmor profile

https://github.com/sylabs/singularityDavid TrudgianNov 13, 2025via ghsa
commit
1 file changed · +22 2
  • internal/pkg/security/apparmor/apparmor_supported.go+22 2 modified
    @@ -1,4 +1,4 @@
-// Copyright (c) 2018-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2018-2025, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the
 // LICENSE.md file distributed with the sources of this project regarding your
 // rights to use or distribute this software.
@@ -10,6 +10,10 @@ package apparmor
 import (
 	"fmt"
 	"os"
+
+	"github.com/cyphar/filepath-securejoin/pathrs-lite"
+	"github.com/cyphar/filepath-securejoin/pathrs-lite/procfs"
+	"golang.org/x/sys/unix"
 )
 
 // Enabled returns whether AppArmor is enabled.
@@ -23,7 +27,23 @@ func Enabled() bool {
 
 // LoadProfile loads the specified AppArmor profile.
 func LoadProfile(profile string) error {
-	f, err := os.OpenFile("/proc/self/attr/exec", os.O_WRONLY, 0)
+	// We must make sure we are actually opening and writing to a real attr/exec
+	// in a real procfs so that the profile takes effect. Using
+	// pathrs-lite/procfs as below accomplishes this.
+	proc, err := procfs.OpenProcRoot()
+	if err != nil {
+		return err
+	}
+	defer proc.Close()
+
+	attrExec, closer, err := proc.OpenThreadSelf("attr/exec")
+	if err != nil {
+		return err
+	}
+	defer closer()
+	defer attrExec.Close()
+
+	f, err := pathrs.Reopen(attrExec, unix.O_WRONLY|unix.O_CLOEXEC)
 	if err != nil {
 		return err
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.