[release-1.37] Bump runc to v1.2.8 - CVE-2025-52881 #6537
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomSweeneyRedHat
added
the
No New Tests
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
3 times, most recently
from
575e857 to
eef214b
Compare
|
Ephemeral COPR build failed. @containers/packit-build please check. |
Bump runc to v1.2.9 to fix CVE-2025-52881. This also fixes CVE-2025-31133 and CVE-2025-52565. Partially fixes: https://issues.redhat.com/browse/OCPBUGS-64913, https://issues.redhat.com/browse/OCPBUGS-64911 once merged into Podman. runc v1.2.9 also fixes a couple of regressions that were in the original CVE 1.2.8 patch. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
eef214b to
ad2e3c9
Compare
The latest runc requires Go 1.22. Bump int in the Makefile to that version. Signed-off-by: tomsweeneyredhat <[email protected]>
These functions were removed in github.com/opencontainers/selinux v1.12.0. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
2 times, most recently
from
ad9979b to
7d4c4f7
Compare
Bumping golang.org/x/tools to v0.26.0 per @nalind's suggestion. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
7d4c4f7 to
0517f18
Compare
Apparently, per lint, the userns.RunningInUserNS() function has moved from runc, to moby. Update the library location. Signed-off-by: tomsweeneyredhat <[email protected]>
Update references to specific versions of golang in the Makefile and the Cirrus CI configuration to match go.mod, and add a check in the 'vendor' target that CI runs that the image it's run inside is a close-enough match to the version listed in go.mod. Signed-off-by: Nalin Dahyabhai <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
0517f18 to
c840a16
Compare
Stealing from @cevich's work in containers#6520. In CI, the project and tests are compiled, so therefore require newer CI/VM images with support for the newer golang requirements. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
c840a16 to
0fbbd55
Compare
nalind
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
02007e0 to
05e00fb
Compare
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
3 times, most recently
from
a18b612 to
824b927
Compare
Bumping onsi/ginkgo to v2 and the x/tools to v0.26 in the test/tools directory Signed-off-by: tomsweeneyredhat <[email protected]>
Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
Ambient capabilities can't be raised without inheritable ones, and since we don't raise inheritable, we should not raise ambient either. This went unnoticed because of a bug in syndtr/gocapability which is only fixed in its fork (see the next commit). Amends commit e7e55c9. Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
824b927 to
499b430
Compare
... setting RLIMIT_NPROC wrong The version of containers/common we're currently using on this branch included a bug which was later fixed by containers/common#2199. If we get an update on its v0.60 branch which includes that fix, we can drop this patch from this branch, but until then, work around the part that breaks our tests. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
Bump Buildah to v1.37.7 Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
499b430 to
0e28a01
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bump runc to v1.2.8 to fix CVE-2025-52881. This also
fixes CVE-2025-31133 and CVE-2025-52566.
Partially fixes: https://issues.redhat.com/browse/OCPBUGS-64913, https://issues.redhat.com/browse/OCPBUGS-64911
once merged into Podman.
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?