On 11 January 2017 at 07:21, Moritz Muehlenhoff <j...@debian.org> wrote:
> Please see:
> https://bugzilla.suse.com/show_bug.cgi?id=1012568
> https://github.com/docker/docker/compare/v1.12.5...v1.12.6
> https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5

I've been working on backporting this patch to 0.1.1, and I think the
CVE actually doesn't apply to 0.1.1 (the version currently in
sid/stretch).  The file descriptor being closed in this patch isn't
being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet).

https://github.com/opencontainers/runc/pull/886 is the upstream PR
which introduced this file descriptor, and it was not included in a
release until 1.0.0-rc2.

As a consequence, I think this bug should be closed (and probably the
security tracker updated to reflect the fact that this CVE doesn't
apply to our older version of runc).

- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Pkg-go-maintainers mailing list

Reply via email to