[release-1.29] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 #6538
+637,895
−204,081
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
ed66f58 to
6566cd2
Compare
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
6566cd2 to
ded4bd3
Compare
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cevich The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
@cevich I'm not sure where all these PRs came from when you put this together, regardless, it looks like a man page or two may need tweaking: |
Member
Author
|
Actually the documentation is correct. My clanker helped identify the change as being caused by an update to Cobra w/ behavior changes, as part of the runc v1.2.8 update. So sadly, code changes are needed to fix this here and in #6540 |
Member
Author
I've lost track days ago. With David out this week, I'm just going down my list of what needs updating and trying to make as much backport progress as I can (based on the next higher version). I'm hoping when the dust settles, it will all get worked out in the end. |
Member
Author
|
Testing out a fix to the CLI options / Cobra update problem over in PR #6540 |
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
ded4bd3 to
71772b7
Compare
Member
Author
|
Added "Handle Cobra v1.5 -> v1.8 behavior changes" commit. |
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
3 times, most recently
from
28b801f to
23c69c3
Compare
Member
Author
|
Suggestion from Tom/Nalin:
|
Member
Author
|
Backported:
Note: I saw a few commits (6bf7400 and 56eadec) I may consider bringing here in place of disabling the lint-checking, but it's a low priority ATM. |
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
2 times, most recently
from
513abff to
7bf8e56
Compare
cevich
changed the title
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
7bf8e56 to
becc9db
Compare
This change is required for future commits that will bring in newer vendored modules with elevated requirements. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
In CI, the project and tests are compiled, so therefore require newer CI/VM images with support for the newer golang requirements. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Bumping golang.org/x/tools to v0.26.0 per @nalind's suggestion. Signed-off-by: tomsweeneyredhat <[email protected]> Signed-off-by: Chris Evich <[email protected]>
Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
This addresses bumping crun to v1.2.9, which is a huge jump but is necessary to address CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 plus various regressions in earlier versions. Fixes: https://issues.redhat.com/browse/RHEL-126922 Fixes: https://issues.redhat.com/browse/RHEL-132843 Fixes: https://issues.redhat.com/browse/RHEL-126920 Fixes: https://issues.redhat.com/browse/RHEL-132850 Signed-off-by: Chris Evich <[email protected]>
A prior commit brought in a newer Cobra (out of necessity) which also hauled in behavior changes WRT global-vs-local flag handling. In order to preserve the `buildah` CLI options prior to this change, additional code changes are needed. Fix the code such that `hack/xref-helpmsgs-manpages` does not report any differences compared to the pre-existing documentation (which presumably passed the check). Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
github.com/moby/sys/capability is a fork of the (no longer maintained) github.com/syndtr/gocapability package. For the list of changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]>
Ambient capabilities can't be raised without inheritable ones, and since we don't raise inheritable, we should not raise ambient either. This went unnoticed because of a bug in syndtr/gocapability which is only fixed in its fork (see the next commit). Amends commit e7e55c9. Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Use a listener helper to bind to an available-according-to-the-kernel listening port and run a command with its stdio more or less tied to the connection instead of trying to launch a git daemon directly using a port number that we can only guess is available. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags) directly, instead of letting the runtime handle the relabeling. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Use the named constants for the status values that runtimes can report to us when we run them with the "state" command. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Tweak the wording that describes the effects of --cgroup-parent to be clear that it only affects handling of RUN instructions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Run integration tests (both as root and rootless) with both crun and runc on Fedora, to help ensure that we can use either. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
This branch is only used as the source for RHEL releases, prune CI tests that are irrelevant for this purpose. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
A bug is present in some versions of runc (including 1.2.8) which result in the wrong number of CPU shares being used. Since the runc version may change in a future commit, but still contain the bug, simply skip the test rather than checking against the miscalculated value. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
The previous handful of commits introduced fairly massive changes to buildah, including an overhaul of the CI runtime environment itself. Because of this, several tests need adjusting to match the new reality. Signed-off-by: Chris Evich <[email protected]>
It is completely broken (see containers#4396) and is now causing failures in Fedora gating tests: https://artifacts.dev.testing-farm.io/30e7b5bc-d162-4ae7-9a60-896f0186bf73/ Signed-off-by: Ed Santiago <[email protected]> Signed-off-by: Chris Evich <[email protected]>
The -cover flag causes many 'error: coverage... ; no coverage data written' messages when GOCOVERDIR is not set. These messages needlessly clutter the test output. Remove the -cover flag. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Member
Author
|
Note to me: CI first turned green in becc9db |
Update the versions of ginkgo that we build for use by our e2e tests, and the linter. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
becc9db to
50a274d
Compare
Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Chris Evich <[email protected]>
cevich
force-pushed
the
release-1.29_cve_3113-52565-52881
branch
from
50a274d to
2d01a8e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind other
What this PR does / why we need it:
Backport PR #6484 & #6511
How to verify it
CI + Manual
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
The commits in this PR were created with the assistance of AI, based on the source #6520. When reviewing please pay special attention to the following:
Vendor directory consistency:
make vendor-in-containerafter eachgo.modchangego.modandgo.sumAll compilation verified:
makeafter every commit"Disable lint checking"
rather the process is simply killed.
source PRs.
"Bump runc to v1.2.8 - CVE-2025-52881" and subsequent commits include extensive
.Get()method calls:run_common.go: Added.Get()calls fordefaultConfig.Containers.DNSServers.Get(),DNSSearches.Get(), andDNSOptions.Get()run_linux.go: Added.Get()call fordefaultContainerConfig.Containers.DefaultUlimits.Get()pkg/cli/common.go: Added.Get()calls fordefaultContainerConfig.Containers.Volumes,Devices,DNSSearches,DNSServers, andDNSOptionsimagebuildah/executor.go: Added.Get()calls fordefaultContainerConfig.Containers.DevicesandVolumescmd/buildah/from.go: Added.Get()calls fordefaultContainerConfig.Containers.DefaultUlimitsandDevicescmd/buildah/main.go: Added.Get()call fordefaultContainerConfig.Engine.Envcontainers/commonpackage changedattributedstring.Slicetypes to require explicit.Get()method calls to convert to[]stringbefore use."run: handle relabeling bind mounts ourselves" - SELinux relabeling changes:
relabel()function inrun_common.gothat wrapslabel.Relabel()with error handling forENOTSUPcasesrun_linux.goto detect and handlezandZmount flags before passing mounts to the runtime, removing these flags from mount options after relabelingrelabel()function was added as a helper to centralize the relabeling logic."vendor: switch to moby/sys/capability" - Capability library migration:
github.com/syndtr/gocapabilitytogithub.com/moby/sys/capabilityingo.modcapability.List()tocapability.ListKnown()SELinux API updates - Direct selinux package usage:
"Don't set ambient capabilities" - Ambient capability handling:
chroot/run_linux.goto set ambient capabilities to empty array{}instead of usingspec.Process.Capabilities.Ambientcmd/buildah/unshare.goin thedebugCapabilitiesfunction, but this was skipped during backport because thedebugCapabilitiesfunction does not exist in the release-1.29 branch. Only thechroot/run_linux.gochanges were applied."Integration tests: run git daemon on a random-but-bind()able port" and "Add a dummy 'runtime' that just dumps its config file" - New test infrastructure:
"runUsingRuntime: use named constants for runtime states" - Runtime state constants:
specspackage version used by release-1.29."Bump Buildah to v1.29.6" - Version and changelog updates:
buildah_release 1.29.6script.Does this PR introduce a user-facing change?