Singularity 3.7.3 was released in April and is available in Fedora and EPEL repositories.
It fixes a security bug in umoci (CVE-2021-29136), a dependency used by Singularity to extract docker/OCI image layers. It can be tricked into modifying host files by creating a malicious layer that has a symlink with the name “.” (or “/”), when running as root. This vulnerability affects a
singularity build or
singularity pull as root, from a docker or OCI source, as well as the implicit build to SIF that occurs through root use of
run/exec/shell against a malicious docker/OCI image URI.
We recommend sites to upgrade to this version.