Hi Tianon, On Wed, Jan 25, 2017 at 09:15:51PM -0800, Tianon Gravi wrote: > On 11 January 2017 at 07:21, Moritz Muehlenhoff <j...@debian.org> wrote: > > Please see: > > https://bugzilla.suse.com/show_bug.cgi?id=1012568 > > https://github.com/docker/docker/compare/v1.12.5...v1.12.6 > > https://github.com/opencontainers/runc/commit/50a19c6ff828c58e5dab13830bd3dacde268afe5 > > I've been working on backporting this patch to 0.1.1, and I think the > CVE actually doesn't apply to 0.1.1 (the version currently in > sid/stretch). The file descriptor being closed in this patch isn't > being opened at all in 0.1.1 ("stateDirFD" doesn't exist yet). > > https://github.com/opencontainers/runc/pull/886 is the upstream PR > which introduced this file descriptor, and it was not included in a > release until 1.0.0-rc2. > > As a consequence, I think this bug should be closed (and probably the > security tracker updated to reflect the fact that this CVE doesn't > apply to our older version of runc).
Disclaimer: I'm not too deep into that. I just noticed that https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to indicate as well 0.1.1 based version are affected. But I cannot tell more (at the moment). Regards, Salvatore