From 64d5847f058dec81a288482665a1d8208f0f4e17 Mon Sep 17 00:00:00 2001 From: George Hartzell Date: Fri, 6 Jul 2018 17:59:17 -0700 Subject: Fix security issue in singularity + misc cleanups (#8657) - Versions before 2.5.2 suffer from a serious security problem (https://nvd.nist.gov/vuln/detail/CVE-2018-12021). Deleted all versions prior to v2.5.2. - Update homepage (looks like singularity's going Freemium). - Use release tarball instead of automagically generated archive tarball (digest values are more stable). - No longer need autotools for released versions, just @devel. - Install needs to be single-threaded, otherwise when installed as root the various 'chmod' operations race against the copies. --- .../repos/builtin/packages/singularity/package.py | 24 ++++++++++++++-------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/var/spack/repos/builtin/packages/singularity/package.py b/var/spack/repos/builtin/packages/singularity/package.py index 87cf8a4649..5951973916 100644 --- a/var/spack/repos/builtin/packages/singularity/package.py +++ b/var/spack/repos/builtin/packages/singularity/package.py @@ -29,15 +29,21 @@ class Singularity(AutotoolsPackage): """Singularity is a container platform focused on supporting 'Mobility of Compute'""" - homepage = "http://singularity.lbl.gov/" - url = "https://github.com/singularityware/singularity/archive/2.4.tar.gz" + homepage = "https://www.sylabs.io/singularity/" + url = "https://github.com/singularityware/singularity/releases/download/2.5.2/singularity-2.5.2.tar.gz" - version('2.4.5', '9afa903ee019448104b4f40be77a46e7') - version('2.4', 'd357ce68ef2f8149edd84155731531465dbe74148c37719f87f168fc39384377') - version('2.3.1', '292ff7fe3db09c854b8accf42f763f62') + # Versions before 2.5.2 suffer from a serious security problem. + # https://nvd.nist.gov/vuln/detail/CVE-2018-12021 + version('2.5.2', '2edc1a8ac9a4d7d26fba6244f1c5fd95') version('develop', git='https://github.com/singularityware/singularity.git', branch='master') - depends_on('m4', type='build') - depends_on('autoconf', type='build') - depends_on('automake', type='build') - depends_on('libtool', type='build') + depends_on('libarchive', when='@2.5.2:') + # these are only needed if we're grabbing the unreleased tree + depends_on('m4', type='build', when='@develop') + depends_on('autoconf', type='build', when='@develop') + depends_on('automake', type='build', when='@develop') + depends_on('libtool', type='build', when='@develop') + + # When installing as root, the copy has to run before chmod runs + def install(self, spec, prefix): + make('install', parallel=False) -- cgit v1.2.3-70-g09d2