[release-1.29]Bump runc to v1.2.8 - CVE-2025-52881

.cirrus.yml

@@ -27,14 +27,14 @@ env:
     ####
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-37"
-    PRIOR_FEDORA_NAME: "fedora-36"
-    UBUNTU_NAME: "ubuntu-2204"
+    FEDORA_NAME: "fedora-41"
+    PRIOR_FEDORA_NAME: "fedora-40"
+    DEBIAN_NAME: "debian-12"
 
-    IMAGE_SUFFIX: "c6300530360713216"
+    IMAGE_SUFFIX: "c20250107t132430z-f41f40d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
-    UBUNTU_CACHE_IMAGE_NAME: "ubuntu-${IMAGE_SUFFIX}"
+    DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
 
     IN_PODMAN_IMAGE: "quay.io/libpod/fedora_podman:${IMAGE_SUFFIX}"
 
@@ -55,7 +55,7 @@ gce_instance: &standardvm
     image_project: "${IMAGE_PROJECT}"
     zone: "us-central1-c"  # Required by Cirrus for the time being
     cpu: 2
-    memory: "4Gb"
+    memory: "4G"
     disk: 200  # Gigabytes, do not set less than 200 per obscure GCE docs re: I/O performance
     image_name: "${FEDORA_CACHE_IMAGE_NAME}"
 
@@ -68,14 +68,14 @@ meta_task:
     container:
         image: "quay.io/libpod/imgts:latest"
         cpu: 1
-        memory: 1
+        memory: 1G
 
     env:
         # Space-separated list of images used by this repository state
         IMGNAMES: |-
             ${FEDORA_CACHE_IMAGE_NAME}
             ${PRIOR_FEDORA_CACHE_IMAGE_NAME}
-            ${UBUNTU_CACHE_IMAGE_NAME}
+            ${DEBIAN_CACHE_IMAGE_NAME}
             build-push-${IMAGE_SUFFIX}
         BUILDID: "${CIRRUS_BUILD_ID}"
         REPOREF: "${CIRRUS_CHANGE_IN_REPO}"
@@ -92,7 +92,7 @@ smoke_task:
     name: "Smoke Test"
 
     gce_instance:
-        memory: "12Gb"
+        memory: "12G"
 
     # Don't bother running on branches (including cron), or for tags.
     only_if: $CIRRUS_PR != ''
@@ -120,7 +120,7 @@ vendor_task:
 
     # Runs within Cirrus's "community cluster"
     container:
-        image: docker.io/library/golang:1.17
+        image: docker.io/library/golang:1.22
         cpu: 1
         memory: 1
 
@@ -190,7 +190,7 @@ conformance_task:
     depends_on: *smoke_vendor_cross
 
     gce_instance:
-        image_name: "${UBUNTU_CACHE_IMAGE_NAME}"
+        image_name: "${DEBIAN_CACHE_IMAGE_NAME}"
 
     timeout_in: 30m
 
@@ -221,8 +221,8 @@ integration_task:
             IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'vfs'
         - env:
-            DISTRO_NV: "${UBUNTU_NAME}"
-            IMAGE_NAME: "${UBUNTU_CACHE_IMAGE_NAME}"
+            DISTRO_NV: "${DEBIAN_NAME}"
+            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'vfs'
         # OVERLAY
         - env:
@@ -234,8 +234,8 @@ integration_task:
             IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
         - env:
-            DISTRO_NV: "${UBUNTU_NAME}"
-            IMAGE_NAME: "${UBUNTU_CACHE_IMAGE_NAME}"
+            DISTRO_NV: "${DEBIAN_NAME}"
+            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
 
     gce_instance:
@@ -279,8 +279,8 @@ integration_rootless_task:
             STORAGE_DRIVER: 'overlay'
             PRIV_NAME: rootless
         - env:
-            DISTRO_NV: "${UBUNTU_NAME}"
-            IMAGE_NAME: "${UBUNTU_CACHE_IMAGE_NAME}"
+            DISTRO_NV: "${DEBIAN_NAME}"
+            IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
             PRIV_NAME: rootless
 

.golangci.yml

@@ -8,6 +8,5 @@ run:
   concurrency: 4
 linters:
   enable:
-    - revive
     - unconvert
     - unparam

CHANGELOG.md

@@ -2,6 +2,17 @@
 
 # Changelog
 
+## v1.29.6 (2025-11-28)
+
+    [release-1.29] Bump x/tools to v0.26.0
+    [release-1.29] Bump to Go 1.22
+    [release-1.29] switch to moby/sys/capability
+    [release-1.29] Proxy module access
+    [release-1.29] Bump CI environment to match release-1.39
+    [release-1.29]Bump runc to v1.2.9 - CVE-2025-52881
+    [release-1.29] Add conditional release-checking system test
+    [release-1.29] tests/conformance/testdata/Dockerfile.add:...
+
 ## v1.29.5 (2025-02-06)
 
     Backport testing of CVE-2024-9407 fix

Makefile

@@ -186,11 +186,11 @@ test-unit: tests/testreport/testreport
 	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
 
 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.17 make vendor
+	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.22 make vendor
 
 .PHONY: vendor
 vendor:
-	GO111MODULE=on $(GO) mod tidy -compat=1.17
+	GO111MODULE=on $(GO) mod tidy -compat=1.22
 	GO111MODULE=on $(GO) mod vendor
 	GO111MODULE=on $(GO) mod verify
 

add.go

@@ -22,7 +22,7 @@ import (
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/hashicorp/go-multierror"
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/moby/sys/userns"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
 )

changelog.txt

@@ -1,3 +1,13 @@
+- Changelog for v1.29.6 (2025-11-28)
+  * [release-1.29] Bump x/tools to v0.26.0
+  * [release-1.29] Bump to Go 1.22
+  * [release-1.29] switch to moby/sys/capability
+  * [release-1.29] Proxy module access
+  * [release-1.29] Bump CI environment to match release-1.39
+  * [release-1.29]Bump runc to v1.2.9 - CVE-2025-52881
+  * [release-1.29] Add conditional release-checking system test
+  * [release-1.29] tests/conformance/testdata/Dockerfile.add:...
+
 - Changelog for v1.29.5 (2025-02-06)
   * Backport testing of CVE-2024-9407 fix
   * Changes based on review feedback

chroot/run_linux.go

@@ -16,10 +16,10 @@ import (
 	"github.com/containers/buildah/copier"
 	"github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/unshare"
+	"github.com/moby/sys/capability"
 	"github.com/opencontainers/runc/libcontainer/apparmor"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
-	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )
 
@@ -181,9 +181,9 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
 		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
-		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+		capability.AMBIENT:     {},
 	}
-	knownCaps := capability.List()
+	knownCaps := capability.ListKnown()
 	noCap := capability.Cap(-1)
 	for capType, capList := range capMap {
 		for _, capToSet := range capList {
@@ -339,9 +339,9 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		if err := unix.Mount(m.Mountpoint, subSys, "bind", sysFlags, ""); err != nil {
 			msg := fmt.Sprintf("could not bind mount %q, skipping: %v", m.Mountpoint, err)
 			if strings.HasPrefix(m.Mountpoint, "/sys") {
-				logrus.Infof(msg)
+				logrus.Info(msg)
 			} else {
-				logrus.Warningf(msg)
+				logrus.Warning(msg)
 			}
 			continue
 		}

chroot/selinux.go

@@ -8,15 +8,14 @@ import (
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
 // setSelinuxLabel sets the process label for child processes that we'll start.
 func setSelinuxLabel(spec *specs.Spec) error {
 	logrus.Debugf("setting selinux label")
 	if spec.Process.SelinuxLabel != "" && selinux.GetEnabled() {
-		if err := label.SetProcessLabel(spec.Process.SelinuxLabel); err != nil {
+		if err := selinux.SetExecLabel(spec.Process.SelinuxLabel); err != nil {
 			return fmt.Errorf("setting process label to %q: %w", spec.Process.SelinuxLabel, err)
 		}
 	}

cmd/buildah/main.go

@@ -69,7 +69,7 @@ func init() {
 	)
 	storageOptions, err := storage.DefaultStoreOptions(false, 0)
 	if err != nil {
-		logrus.Errorf(err.Error())
+		logrus.Error(err.Error())
 		os.Exit(1)
 
 	}
@@ -81,7 +81,7 @@ func init() {
 
 	containerConfig, err := config.Default()
 	if err != nil {
-		logrus.Errorf(err.Error())
+		logrus.Error(err.Error())
 		os.Exit(1)
 	}
 	containerConfig.CheckCgroupsAndAdjustConfig()

contrib/cirrus/lib.sh

@@ -96,7 +96,7 @@ PACKAGE_DOWNLOAD_DIR=/var/cache/download
 lilto() { err_retry 8 1000 "" "$@"; }  # just over 4 minutes max
 bigto() { err_retry 7 5670 "" "$@"; }  # 12 minutes max
 
-# Working with apt under Debian/Ubuntu automation is a PITA, make it easy
+# Working with apt under automation is a PITA, make it easy
 # Avoid some ways of getting stuck waiting for user input
 export DEBIAN_FRONTEND=noninteractive
 # Short-cut for frequently used base command
@@ -127,7 +127,7 @@ remove_packaged_buildah_files() {
     warn "Removing packaged buildah files to prevent conflicts with source build and testing."
     req_env_vars OS_RELEASE_ID
 
-    if [[ "$OS_RELEASE_ID" =~ "ubuntu" ]]
+    if [[ "$OS_RELEASE_ID" =~ "debian" ]]
     then
         LISTING_CMD="dpkg-query -L buildah"
     else
@@ -139,13 +139,6 @@ remove_packaged_buildah_files() {
     do
         # Sub-directories may contain unrelated/valuable stuff
         if [[ -d "$fullpath" ]]; then continue; fi
-        # As of Ubuntu 2010, policy.json in buildah, not containers-common package
-        if [[ "$OS_RELEASE_ID" == "ubuntu" ]] && \
-            grep -q '/etc/containers'<<<"$fullpath"; then
-
-            warn "Not removing $fullpath (from buildah package)"
-            continue
-        fi
 
         rm -vf "$fullpath"
     done

contrib/cirrus/logcollector.sh

@@ -9,7 +9,7 @@ req_env_vars CI GOSRC OS_RELEASE_ID
 case $1 in
     audit)
         case $OS_RELEASE_ID in
-            ubuntu) showrun cat /var/log/kern.log ;;
+            debian) showrun cat /var/log/kern.log ;;
             fedora) showrun cat /var/log/audit/audit.log ;;
             *) bad_os_id_ver ;;
         esac
@@ -21,7 +21,7 @@ case $1 in
     buildah_info) showrun $GOSRC/bin/buildah info;;
     golang) showrun go version;;
     packages)
-        # These names are common to Fedora and Ubuntu
+        # These names are common to Fedora and Debian
         PKG_NAMES=(\
                     buildah
                     conmon
@@ -44,7 +44,7 @@ case $1 in
                 fi
                 PKG_LST_CMD='rpm -q --qf=%{N}-%{V}-%{R}-%{ARCH}\n'
                 ;;
-            ubuntu*)
+            debian*)
                 PKG_LST_CMD='dpkg-query --show --showformat=${Package}-${Version}-${Architecture}\n'
                 ;;
             *) bad_os_id_ver ;;

contrib/cirrus/setup.sh

@@ -43,21 +43,12 @@ EOF
             showrun setsebool -P container_manage_cgroup true
         fi
         ;;
-    ubuntu)
+    debian)
         if [[ "$1" == "conformance" ]]; then
-            msg "Installing previously downloaded/cached packages"
-            ooe.sh dpkg -i \
+            msg "Installing previously downloaded/cached Docker packages"
+            dpkg -i \
                 $PACKAGE_DOWNLOAD_DIR/containerd.io*.deb \
                 $PACKAGE_DOWNLOAD_DIR/docker-ce*.deb
-
-            # At the time of this comment, Ubuntu is using systemd-resolved
-            # which interfears badly with conformance testing.  Some tests
-            # need to run dnsmasq on port 53.
-            if [[ -r "/run/systemd/resolve/resolv.conf" ]]; then
-                msg "Disabling systemd-resolved service"
-                systemctl stop systemd-resolved.service
-                cp /run/systemd/resolve/resolv.conf /etc/
-            fi
         fi
         ;;
     *)

contrib/cirrus/test.sh

@@ -56,7 +56,7 @@ else
                 export GITVALIDATE_EPOCH="$CIRRUS_LAST_GREEN_CHANGE"
             fi
             echo "Linting & Validating from ${GITVALIDATE_EPOCH:-default EPOCH}"
-            showrun make lint LINTFLAGS="--deadline=20m --color=always -j1"
+            showrun make lint LINTFLAGS="--timeout=20m --color=always -j1"
             showrun make validate
             ;;
         unit)
@@ -67,7 +67,7 @@ else
             # This test compares images built with the "latest" version
             # of docker, against images built with buildah. Runtime installs
             # are required to ensure the latest docker version is used.
-            [[ "$OS_RELEASE_ID" == "ubuntu" ]] || \
+            [[ "$OS_RELEASE_ID" == "debian" ]] || \
                 bad_os_id_ver
 
             systemctl enable --now docker

copier/copier.go

@@ -1721,7 +1721,7 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
 			// no type flag for sockets
 			default:
 				return fmt.Errorf("unrecognized Typeflag %c", hdr.Typeflag)
-			case tar.TypeReg, tar.TypeRegA:
+			case tar.TypeReg, tar.TypeRegA: //nolint:staticcheck
 				var written int64
 				written, err = createFile(path, tr)
 				// only check the length if there wasn't an error, which we'll

copier/copier_linux_test.go

@@ -13,9 +13,9 @@ import (
 
 	"github.com/containers/storage/pkg/mount"
 	"github.com/containers/storage/pkg/reexec"
+	"github.com/moby/sys/capability"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/syndtr/gocapability/capability"
 	"golang.org/x/sys/unix"
 )
 

copier/copier_test.go

@@ -710,7 +710,7 @@ func testStat(t *testing.T) {
 								result := st.Results[glob]
 
 								switch testItem.Typeflag {
-								case tar.TypeReg, tar.TypeRegA:
+								case tar.TypeReg, tar.TypeRegA: //nolint:staticcheck
 									if actualContent, ok := testArchive.contents[testItem.Name]; ok {
 										testItem.Size = int64(len(actualContent))
 									}

define/types.go

@@ -30,7 +30,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.29.5"
+	Version = "1.29.6"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"