[release-1.37] Bump runc to v1.2.8 - CVE-2025-52881

.cirrus.yml

@@ -21,18 +21,19 @@ env:
     IN_PODMAN: 'false'
     # root or rootless
     PRIV_NAME: root
+    # default "mention the $BUILDAH_RUNTIME in the task alias, with initial whitespace" value
+    RUNTIME_N: ""
 
     ####
     #### Cache-image names to test with
     ####
     # GCE project where images live
     IMAGE_PROJECT: "libpod-218412"
-    FEDORA_NAME: "fedora-39"
-    PRIOR_FEDORA_NAME: "fedora-38"
-    DEBIAN_NAME: "debian-13"
+    FEDORA_NAME: "fedora-41"
+    PRIOR_FEDORA_NAME: "fedora-40"
+    UBUNTU_NAME: "ubuntu-2204"
 
-    # Image identifiers
-    IMAGE_SUFFIX: "c20240708t152000z-f40f39d13"
+    IMAGE_SUFFIX: "c20250107t132430z-f41f40d13"
     FEDORA_CACHE_IMAGE_NAME: "fedora-${IMAGE_SUFFIX}"
     PRIOR_FEDORA_CACHE_IMAGE_NAME: "prior-fedora-${IMAGE_SUFFIX}"
     DEBIAN_CACHE_IMAGE_NAME: "debian-${IMAGE_SUFFIX}"
@@ -120,13 +121,14 @@ vendor_task:
 
     # Runs within Cirrus's "community cluster"
     container:
-        image: docker.io/library/golang:latest
+        image: docker.io/library/golang:1.22
         cpu: 1
         memory: 1
 
     timeout_in: 5m
 
     vendor_script:
+        - './hack/check_vendor_toolchain.sh Try updating the image used by the vendor_task in .cirrus.yml.'
         - 'make vendor'
         - './hack/tree_status.sh'
 
@@ -197,7 +199,7 @@ conformance_task:
 
 
 integration_task:
-    name: "Integration $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
     alias: integration
     only_if: *not_build_docs
     depends_on: *smoke_vendor_cross
@@ -208,10 +210,26 @@ integration_task:
             DISTRO_NV: "${FEDORA_NAME}"
             IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
         - env:
             DISTRO_NV: "${PRIOR_FEDORA_NAME}"
             IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'vfs'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
         - env:
             DISTRO_NV: "${DEBIAN_NAME}"
             IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
@@ -221,10 +239,26 @@ integration_task:
             DISTRO_NV: "${FEDORA_NAME}"
             IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
         - env:
             DISTRO_NV: "${PRIOR_FEDORA_NAME}"
             IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
         - env:
             DISTRO_NV: "${DEBIAN_NAME}"
             IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"
@@ -252,7 +286,7 @@ integration_task:
         golang_version_script: '$GOSRC/$SCRIPT_BASE/logcollector.sh golang'
 
 integration_rootless_task:
-    name: "Integration rootless $DISTRO_NV w/ $STORAGE_DRIVER"
+    name: "Integration rootless $DISTRO_NV$RUNTIME_N w/ $STORAGE_DRIVER"
     alias: integration_rootless
     only_if: *not_build_docs
     depends_on: *smoke_vendor_cross
@@ -265,11 +299,29 @@ integration_rootless_task:
             IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
             PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
+        - env:
+            DISTRO_NV: "${FEDORA_NAME}"
+            IMAGE_NAME: "${FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
+        - env:
+            DISTRO_NV: "${PRIOR_FEDORA_NAME}"
+            IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
+            STORAGE_DRIVER: 'overlay'
+            PRIV_NAME: rootless
+            BUILDAH_RUNTIME: runc
+            RUNTIME_N: " using runc"
         - env:
             DISTRO_NV: "${PRIOR_FEDORA_NAME}"
             IMAGE_NAME: "${PRIOR_FEDORA_CACHE_IMAGE_NAME}"
             STORAGE_DRIVER: 'overlay'
             PRIV_NAME: rootless
+            BUILDAH_RUNTIME: crun
+            RUNTIME_N: " using crun"
         - env:
             DISTRO_NV: "${DEBIAN_NAME}"
             IMAGE_NAME: "${DEBIAN_CACHE_IMAGE_NAME}"

.golangci.yml

@@ -8,6 +8,5 @@ run:
   concurrency: 4
 linters:
   enable:
-    - revive
     - unconvert
     - unparam

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 # Changelog
 
+## v1.37.7 (2025-12-09)
+
+    [release-1.37] CI: run integration tests on Fedora with both crun and
+    [release-1.37] runUsingRuntime: use named constants for runtime states
+    [release-1.37] Add a dummy "runtime" that just dumps its
+    [release-1.37] run: handle relabeling bind mounts ourselves
+    [release-1.37] Partially work around containers/common
+    [release-1.37] Don't set ambient capabilities
+    [release-1.37] Silence new linter warnings
+    [release-1.37] Bump onsi/ginkgo to v2 and x/tools
+    [release-1.37] Bump CI environment to match release-1.39
+    [release-1.37] Finish updating to go 1.22
+    [release-1.37] update RunningInUserNS lib
+    [release-1.37] Bump x/tools to v0.26.0
+    [release-1.37] replace deprecated selinux/label calls
+    [release-1.37] Bump Go to 1.22 in Makefile
+    [release-1.37] Bump runc to v1.2.9 - CVE-2025-52881
+    Builder.sbomScan(): don't break non-root scanners
+    [release-1.37] tests/conformance/testdata/Dockerfile.add:...
+
 ## v1.37.6 (2025-01-20)
 
     Fix TOCTOU error when bind and cache mounts use "src" values

Makefile

@@ -53,7 +53,7 @@ endif
 #     Note: Uses the -N -l go compiler options to disable compiler optimizations
 #           and inlining. Using these build options allows you to subsequently
 #           use source debugging tools like delve.
-all: bin/buildah bin/imgtype bin/copy bin/tutorial docs
+all: bin/buildah bin/imgtype bin/copy bin/tutorial bin/dumpspec docs
 
 # Update nix/nixpkgs.json its latest stable commit
 .PHONY: nixpkgs
@@ -101,6 +101,9 @@ bin/buildah.%:
 	mkdir -p ./bin
 	GOOS=$(word 2,$(subst ., ,$@)) GOARCH=$(word 3,$(subst ., ,$@)) $(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ -tags "containers_image_openpgp" ./cmd/buildah
 
+bin/dumpspec: $(SOURCES) tests/dumpspec/*.go
+	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/dumpspec
+
 bin/imgtype: $(SOURCES) tests/imgtype/imgtype.go
 	$(GO_BUILD) $(BUILDAH_LDFLAGS) -o $@ $(BUILDFLAGS) ./tests/imgtype/imgtype.go
 
@@ -199,7 +202,12 @@ test-unit: tests/testreport/testreport
 	$(GO_TEST) -v -tags "$(STORAGETAGS) $(SECURITYTAGS)" -cover $(RACEFLAGS) ./cmd/buildah -args --root $$tmp/root --runroot $$tmp/runroot --storage-driver vfs --signature-policy $(shell pwd)/tests/policy.json --registries-conf $(shell pwd)/tests/registries.conf
 
 vendor-in-container:
-	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:1.21 make vendor
+	goversion=$(shell sed -e '/^go /!d' -e '/^go /s,.* ,,g' go.mod) ; \
+	if test -d `go env GOCACHE` && test -w `go env GOCACHE` ; then \
+		podman run --privileged --rm --env HOME=/root -v `go env GOCACHE`:/root/.cache/go-build --env GOCACHE=/root/.cache/go-build -v `pwd`:/src -w /src docker.io/library/golang:$$goversion make vendor ; \
+	else \
+		podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src docker.io/library/golang:$$goversion make vendor ; \
+	fi
 
 .PHONY: vendor
 vendor:

add_linux.go

@@ -1,7 +1,7 @@
 package buildah
 
 import (
-	"github.com/opencontainers/runc/libcontainer/userns"
+	"github.com/moby/sys/userns"
 )
 
 func runningInUserNS() bool {

changelog.txt

@@ -1,3 +1,22 @@
+- Changelog for v1.37.7 (2025-12-09)
+  * [release-1.37] CI: run integration tests on Fedora with both crun and
+  * [release-1.37] runUsingRuntime: use named constants for runtime states
+  * [release-1.37] Add a dummy "runtime" that just dumps its
+  * [release-1.37] run: handle relabeling bind mounts ourselves
+  * [release-1.37] Partially work around containers/common
+  * [release-1.37] Don't set ambient capabilities
+  * [release-1.37] Silence new linter warnings
+  * [release-1.37] Bump onsi/ginkgo to v2 and x/tools
+  * [release-1.37] Bump CI environment to match release-1.39
+  * [release-1.37] Finish updating to go 1.22
+  * [release-1.37] update RunningInUserNS lib
+  * [release-1.37] Bump x/tools to v0.26.0
+  * [release-1.37] replace deprecated selinux/label calls
+  * [release-1.37] Bump Go to 1.22 in Makefile
+  * [release-1.37] Bump runc to v1.2.9 - CVE-2025-52881
+  * Builder.sbomScan(): don't break non-root scanners
+  * [release-1.37] tests/conformance/testdata/Dockerfile.add:...
+
 - Changelog for v1.37.6 (2025-01-20)
   * Fix TOCTOU error when bind and cache mounts use "src" values
   * define.TempDirForURL(): always use an intermediate subdirectory

chroot/run_common.go

@@ -19,6 +19,7 @@ import (
 	"syscall"
 
 	"github.com/containers/buildah/bind"
+	"github.com/containers/buildah/internal/pty"
 	"github.com/containers/buildah/util"
 	"github.com/containers/storage/pkg/ioutils"
 	"github.com/containers/storage/pkg/reexec"
@@ -215,7 +216,7 @@ func runUsingChrootMain() {
 	var stderr io.Writer
 	fdDesc := make(map[int]string)
 	if options.Spec.Process.Terminal {
-		ptyMasterFd, ptyFd, err := getPtyDescriptors()
+		ptyMasterFd, ptyFd, err := pty.GetPtyDescriptors()
 		if err != nil {
 			logrus.Errorf("error opening PTY descriptors: %v", err)
 			os.Exit(1)

chroot/run_linux.go

@@ -181,7 +181,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
 		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
 		capability.INHERITABLE: []string{},
 		capability.PERMITTED:   spec.Process.Capabilities.Permitted,
-		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
+		capability.AMBIENT:     {},
 	}
 	knownCaps := capability.List()
 	noCap := capability.Cap(-1)
@@ -364,9 +364,9 @@ func setupChrootBindMounts(spec *specs.Spec, bundlePath string) (undoBinds func(
 		if err := unix.Mount(m.Mountpoint, subSys, "bind", sysFlags, ""); err != nil {
 			msg := fmt.Sprintf("could not bind mount %q, skipping: %v", m.Mountpoint, err)
 			if strings.HasPrefix(m.Mountpoint, "/sys") {
-				logrus.Infof(msg)
+				logrus.Info(msg)
 			} else {
-				logrus.Warningf(msg)
+				logrus.Warning(msg)
 			}
 			continue
 		}

chroot/selinux.go

@@ -8,15 +8,14 @@ import (
 
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
-	"github.com/opencontainers/selinux/go-selinux/label"
 	"github.com/sirupsen/logrus"
 )
 
 // setSelinuxLabel sets the process label for child processes that we'll start.
 func setSelinuxLabel(spec *specs.Spec) error {
 	logrus.Debugf("setting selinux label")
 	if spec.Process.SelinuxLabel != "" && selinux.GetEnabled() {
-		if err := label.SetProcessLabel(spec.Process.SelinuxLabel); err != nil {
+		if err := selinux.SetExecLabel(spec.Process.SelinuxLabel); err != nil {
 			return fmt.Errorf("setting process label to %q: %w", spec.Process.SelinuxLabel, err)
 		}
 	}

cmd/buildah/main.go

@@ -70,7 +70,7 @@ func init() {
 	)
 	storageOptions, err := storage.DefaultStoreOptions()
 	if err != nil {
-		logrus.Errorf(err.Error())
+		logrus.Error(err.Error())
 		os.Exit(1)
 
 	}
@@ -82,7 +82,7 @@ func init() {
 
 	defaultContainerConfig, err = config.Default()
 	if err != nil {
-		logrus.Errorf(err.Error())
+		logrus.Error(err.Error())
 		os.Exit(1)
 	}
 	defaultContainerConfig.CheckCgroupsAndAdjustConfig()

contrib/cirrus/test.sh

@@ -63,7 +63,7 @@ else
                 export GITVALIDATE_EPOCH="$CIRRUS_LAST_GREEN_CHANGE"
             fi
             echo "Linting & Validating from ${GITVALIDATE_EPOCH:-default EPOCH}"
-            showrun make lint LINTFLAGS="--deadline=20m --color=always -j1"
+            showrun make lint LINTFLAGS="--timeout=20m --color=always -j1" 
             showrun make validate
             ;;
         unit)

copier/copier.go

@@ -1730,7 +1730,7 @@ func copierHandlerPut(bulkReader io.Reader, req request, idMappings *idtools.IDM
 			// no type flag for sockets
 			default:
 				return fmt.Errorf("unrecognized Typeflag %c", hdr.Typeflag)
-			case tar.TypeReg:
+			case tar.TypeReg: //nolint:staticcheck
 				var written int64
 				written, err = createFile(path, tr)
 				// only check the length if there wasn't an error, which we'll

copier/copier_test.go

@@ -710,7 +710,7 @@ func testStat(t *testing.T) {
 								result := st.Results[glob]
 
 								switch testItem.Typeflag {
-								case tar.TypeReg:
+								case tar.TypeReg: //nolint:staticcheck
 									if actualContent, ok := testArchive.contents[testItem.Name]; ok {
 										testItem.Size = int64(len(actualContent))
 									}

define/types.go

@@ -29,7 +29,7 @@ const (
 	// identify working containers.
 	Package = "buildah"
 	// Version for the Package. Also used by .packit.sh for Packit builds.
-	Version = "1.37.6"
+	Version = "1.37.7"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"