On 11 January 2017 at 07:21, Moritz Muehlenhoff <j...@debian.org> wrote: > Please see: > https://bugzilla.suse.com/show_bug.cgi?id=1012568 > https://github.com/docker/docker/compare/v1.12.5...v1.12.6 > https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5
I've been working on backporting this patch to 0.1.1, and I think the CVE actually doesn't apply to 0.1.1 (the version currently in sid/stretch). The file descriptor being closed in this patch isn't being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet). https://github.com/opencontainers/runc/pull/886 is the upstream PR which introduced this file descriptor, and it was not included in a release until 1.0.0-rc2. As a consequence, I think this bug should be closed (and probably the security tracker updated to reflect the fact that this CVE doesn't apply to our older version of runc). ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4