[pkg-go] Bug#850951: Bug#850951: CVE-2016-9962
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 30 19:31:27 UTC 2017
Hi Tianon,
On Wed, Jan 25, 2017 at 09:15:51PM -0800, Tianon Gravi wrote:
> On 11 January 2017 at 07:21, Moritz Muehlenhoff <jmm at debian.org> wrote:
> > Please see:
> > https://bugzilla.suse.com/show_bug.cgi?id=1012568
> > https://github.com/docker/docker/compare/v1.12.5...v1.12.6
> > https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
>
> I've been working on backporting this patch to 0.1.1, and I think the
> CVE actually doesn't apply to 0.1.1 (the version currently in
> sid/stretch). The file descriptor being closed in this patch isn't
> being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet).
>
> https://github.com/opencontainers/runc/pull/886 is the upstream PR
> which introduced this file descriptor, and it was not included in a
> release until 1.0.0-rc2.
>
> As a consequence, I think this bug should be closed (and probably the
> security tracker updated to reflect the fact that this CVE doesn't
> apply to our older version of runc).
Disclaimer: I'm not too deep into that. I just noticed that
https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to
indicate as well 0.1.1 based version are affected. But I cannot tell
more (at the moment).
Regards,
Salvatore
More information about the Pkg-go-maintainers
mailing list