# not found actually in 1.3.2 ... Control: notfound -1 850320 1.3.2-1 # but found in version as in jessie packports according to analysis Control: found -1 1.2.3-1 # and mark as fixed in 1.3.2-1 the first version after 1.2.21 in the # archive Control: fixed -1 850320 1.3.2-1
Hi Tzafrir, On Fri, Jan 06, 2017 at 12:25:07AM +0100, Tzafrir Cohen wrote: > My initial reading into this: neither the version in Stable (1.1.33-1) > nor the version in Testing / Unstable (1.3.2-1) is volnurable. Not > closing yet as I want to test this better. > > The version in Jessie-backports seems to be the only one affected by it. > > Impact: mock is a chroot building serer. You feed it with RPM source > packages and they get built in chroots (that it creates). Package > specifications may generally include various forms of executable code. > The builder runs the builds as a non-root user. The issue was that the > rpm spec file was evaluated accidentally as root. > > This issue was fixed upstream just before 1.2.22, and that fix is > included in the current version (1.3.2). In 1.1.33 the parsing seems to > be done before after temporarily dropping super-user privileges at > startup. Thanks for your investigation and the explanation of the attack vector, that's much appreciated. I seem to have read the patch wrongly, leading me to think that src:mock 1.3.2 is affected. If you agree on the above Control changes and we are sure that the version in stable is not affected, then I guess we can go ahead with the closure. Regards and thanks for your time taken, Salvatore