On 30 January 2017 at 11:31, Salvatore Bonaccorso <car...@debian.org> wrote: > Disclaimer: I'm not too deep into that. I just noticed that > https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to > indicate as well 0.1.1 based version are affected. But I cannot tell > more (at the moment).
Reading more into the vuln itself, I think ignoring the "stateDirFD" bits of the upstream patch is appropriate (and simply adding the "PR_SET_DUMPABLE" bit for "runc exec" as in "libcontainer/nsenter/nsexec.c"). I'm preparing a patch for the package now, but I'm curious what the implications of an upload will be so close to the freeze -- do we need to request a freeze exception or a migration adjustment after the updated package is up? Should I hold off on uploading? (would rather not lose "runc" from stretch) ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4