GHSA-cr2j-534f-mf3g
Apptainer has incorrect path matching for 'limit container paths' directive
Details
### Impact
The `limit container paths directive` in `apptainer.conf` is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.
For example, the configuration: ``` limit container paths = /data/safe ``` Will also allow containers in /data/safe-but-unsafe to be run.
### Patches
The issue is patched in apptainer version 1.5.1.
### Workarounds
If developers do not use setuid mode or do not use the `limit container paths` functionality, then this issue does not affect their installation. Note that, as documented [1], if user namespaces are allowed for unrestricted use then this functionality does not stop users from running any container of their choice.
If developers do use the `limit container paths` functionality they are advised to update.
### Credit
This vulnerability was discovered and disclosed to the Apptainer project by Dave Trudgian of Sylabs.
### Resources
[1] https://apptainer.org/docs/admin/latest/configfiles.html#limiting-container-execution
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.5.1 go get github.com/apptainer/apptainer@v1.5.1