[release-1.37] Bump runc to v1.2.8 - CVE-2025-52881 #6537
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TomSweeneyRedHat
added
the
No New Tests
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
3 times, most recently
from
575e857 to
eef214b
Compare
|
Ephemeral COPR build failed. @containers/packit-build please check. |
Bump runc to v1.2.9 to fix CVE-2025-52881. This also fixes CVE-2025-31133 and CVE-2025-52565. Partially fixes: https://issues.redhat.com/browse/OCPBUGS-64913, https://issues.redhat.com/browse/OCPBUGS-64911 once merged into Podman. runc v1.2.9 also fixes a couple of regressions that were in the original CVE 1.2.8 patch. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
eef214b to
ad2e3c9
Compare
The latest runc requires Go 1.22. Bump int in the Makefile to that version. Signed-off-by: tomsweeneyredhat <[email protected]>
These functions were removed in github.com/opencontainers/selinux v1.12.0. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
2 times, most recently
from
ad9979b to
7d4c4f7
Compare
Bumping golang.org/x/tools to v0.26.0 per @nalind's suggestion. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
7d4c4f7 to
0517f18
Compare
Apparently, per lint, the userns.RunningInUserNS() function has moved from runc, to moby. Update the library location. Signed-off-by: tomsweeneyredhat <[email protected]>
Update references to specific versions of golang in the Makefile and the Cirrus CI configuration to match go.mod, and add a check in the 'vendor' target that CI runs that the image it's run inside is a close-enough match to the version listed in go.mod. Signed-off-by: Nalin Dahyabhai <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
0517f18 to
c840a16
Compare
Stealing from @cevich's work in containers#6520. In CI, the project and tests are compiled, so therefore require newer CI/VM images with support for the newer golang requirements. Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
c840a16 to
0fbbd55
Compare
nalind
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
02007e0 to
05e00fb
Compare
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
3 times, most recently
from
a18b612 to
824b927
Compare
Bumping onsi/ginkgo to v2 and the x/tools to v0.26 in the test/tools directory Signed-off-by: tomsweeneyredhat <[email protected]>
Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
Ambient capabilities can't be raised without inheritable ones, and since we don't raise inheritable, we should not raise ambient either. This went unnoticed because of a bug in syndtr/gocapability which is only fixed in its fork (see the next commit). Amends commit e7e55c9. Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
824b927 to
499b430
Compare
... setting RLIMIT_NPROC wrong The version of containers/common we're currently using on this branch included a bug which was later fixed by containers/common#2199. If we get an update on its v0.60 branch which includes that fix, we can drop this patch from this branch, but until then, work around the part that breaks our tests. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
499b430 to
0e28a01
Compare
TomSweeneyRedHat
added a commit
to TomSweeneyRedHat/podman
that referenced
this pull request
Dec 6, 2025
[DO NOT MERGE] Testing merging Buildah from containers/buildah#6537 to see what kind of fun we will have. Signed-off-by: tomsweeneyredhat <[email protected]>
6 tasks
Luap99
approved these changes
Dec 8, 2025
|
|
||
| vendor-in-container: | ||
| podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.22 make vendor | ||
| goversion=$(shell sed -e '/^go /!d' -e '/^go /s,.* ,,g' go.mod) ; \ |
Member
There was a problem hiding this comment.
not blocking, this could be go list -m -f {{.GoVersion}}
cc @nalind
since it is a backport doesn't matter but I guess worth to simplify on main
Member
|
Assuming that's a thing we expect to work, do we have CI runs that use |
Member
Author
Member
|
I can't speak authoritatively, but I do think https://github.com/openshift/builder is still using runc in its containers. I cherry picked some of the patches it would need in #6569. |
Member
Author
Member
Author
|
Working on adding the other commit, thanks for the heads up @nalind and apologies if I missed a note earlier. |
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags) directly, instead of letting the runtime handle the relabeling. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
... config file Add a dummy "runtime" that just dumps its runtime config, either the entirety of it, or a section of it corresponding to each command line argument. Tests can use it to ensure that we set the right thing in the configuration without also depending on the runtime to do as its asked, which isn't always something we have control over. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
Use the named constants for the status values that runtimes can report to us when we run them with the "state" command. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
... runc Run integration tests (both as root and rootless) with both crun and runc on Fedora, to help ensure that we can use either. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
0e28a01 to
2a14a4d
Compare
Member
Author
|
Pushed, and rolling the CI dice once again. |
Member
Member
Author
Luap99
reviewed
Dec 9, 2025
CHANGELOG.md
Outdated
Comment on lines
5
to
7
| ## v1.37.7 (2025-11-28) | ||
|
|
||
| [release-1.37] update RunningInUserNS lib |
Member
There was a problem hiding this comment.
The date is wrong and doesn't seem to list all commits, I don't think there is much value in such changelogs but if you do that it should have the right content?
I Assume you just need to rerun the script that generates this.
Member
Author
|
@Luap99 dang it, yep, you're right. I've added a few commit and never reran the changelogs. Let me go rerun that. |
Bump Buildah to v1.37.7 Signed-off-by: tomsweeneyredhat <[email protected]>
TomSweeneyRedHat
force-pushed
the
dev/tsweeney/cve-2025-52881-release-1.37
branch
from
2a14a4d to
d103bff
Compare
Member
Author
|
Good catch on the changelog @Luap99 . I just killed and recreated that last commit with the updated changelogs. Everything else is the same here. Please, CI, be kind. |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: flouthoc, Luap99, TomSweeneyRedHat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 5980281
into
containers:release-1.37
28 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bump runc to v1.2.8 to fix CVE-2025-52881. This also
fixes CVE-2025-31133 and CVE-2025-52566.
Partially fixes: https://issues.redhat.com/browse/OCPBUGS-64913, https://issues.redhat.com/browse/OCPBUGS-64911
once merged into Podman.
What type of PR is this?
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?