On 11 January 2017 at 07:21, Moritz Muehlenhoff <j...@debian.org> wrote:
> Please see:
I've been working on backporting this patch to 0.1.1, and I think the
CVE actually doesn't apply to 0.1.1 (the version currently in
sid/stretch). The file descriptor being closed in this patch isn't
being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet).
https://github.com/opencontainers/runc/pull/886 is the upstream PR
which introduced this file descriptor, and it was not included in a
release until 1.0.0-rc2.
As a consequence, I think this bug should be closed (and probably the
security tracker updated to reflect the fact that this CVE doesn't
apply to our older version of runc).
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Pkg-go-maintainers mailing list