CVE-2021-29499
Description
SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.3.1-2 |
| sid | Fixed | 2.3.1-2 |
| forky | Fixed | 2.3.1-2 |
| bullseye | Affected | โ |
| bookworm | Fixed | 2.3.1-2 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/sylabs/sif | <1.2.3 | 1.2.3 |
References
- https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg
- https://nvd.nist.gov/vuln/detail/CVE-2021-29499
- https://github.com/satori/go.uuid/issues/73
- https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d
- https://github.com/sylabs/sif
- https://security-tracker.debian.org/tracker/CVE-2021-29499
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.