My initial reading into this: neither the version in Stable (1.1.33-1) nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not closing yet as I want to test this better.
The version in Jessie-backports seems to be the only one affected by it. Impact: mock is a chroot building serer. You feed it with RPM source packages and they get built in chroots (that it creates). Package specifications may generally include various forms of executable code. The builder runs the builds as a non-root user. The issue was that the rpm spec file was evaluated accidentally as root. This issue was fixed upstream just before 1.2.22, and that fix is included in the current version (1.3.2). In 1.1.33 the parsing seems to be done before after temporarily dropping super-user privileges at startup. -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend