[release-1.26] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 #6570
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: cevich The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cevich
changed the title
cevich
force-pushed
the
release-1.26_cve_3113-52565-52881
branch
from
6b87590 to
d3613d3
Compare
This change is required for future commits that will bring in newer vendored modules with elevated requirements. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
In CI, the project and tests are compiled, so therefore require newer CI/VM images with support for the newer golang requirements. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Bumping golang.org/x/tools to v0.26.0 per @nalind's suggestion. Signed-off-by: tomsweeneyredhat <[email protected]> Signed-off-by: Chris Evich <[email protected]>
Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
cevich
force-pushed
the
release-1.26_cve_3113-52565-52881
branch
from
d3613d3 to
727c661
Compare
Use sort.Stable() instead of sort.Sort() to sort mounts, and have the comparison function compare the cleaned paths directly if they have the same number of components, so that there's a defined ordering between "/a" and "/b". Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
This addresses bumping crun to v1.2.9, which is a huge jump but is necessary to address CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 plus various regressions in earlier versions. Fixes: https://issues.redhat.com/browse/RHEL-126919 In order to both handle breaking changes related to removal of the unmaintained `github.com/docker/libnetwork` while keeping this branch as closely compatible as possible to `release-1.27`, the following major changes were necessary: - Removed duplicate functions from run_linux.go (setupMounts, runSetupRunMounts, getBindMount, getTmpfsMount, getSSHMount) and centralized them in run_common.go - Updated function signatures to use runMountInfo and IDMaps structs instead of individual parameters - Moved IDMaps and runMountInfo struct definitions from run_common.go to run.go to match 1.27 structure - Moved nonCleanablePrefixes variable from run.go to run_linux.go to match 1.27 structure - Updated addResolvConf call to use spec.Linux.Namespaces instead of namespaceOptions - Changed hardcoded "/etc/resolv.conf" strings to use resolvconf.DefaultResolvConf constant - Updated import aliases: run_common.go now uses imageTypes alias for github.com/containers/image/v5/types to match 1.27 This consolidates mount-related code in run_common.go and aligns the 1.26 branch structure with 1.27. Signed-off-by: Chris Evich <[email protected]>
A prior commit brought in a newer Cobra (out of necessity) which also hauled in behavior changes WRT global-vs-local flag handling. In order to preserve the `buildah` CLI options prior to this change, additional code changes are needed. Fix the code such that `hack/xref-helpmsgs-manpages` does not report any differences compared to the pre-existing documentation (which presumably passed the check). Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
github.com/moby/sys/capability is a fork of the (no longer maintained) github.com/syndtr/gocapability package. For the list of changes since the fork took place, see https://github.com/moby/sys/blob/main/capability/CHANGELOG.md Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Nalin Dahyabhai <[email protected]>
Ambient capabilities can't be raised without inheritable ones, and since we don't raise inheritable, we should not raise ambient either. This went unnoticed because of a bug in syndtr/gocapability which is only fixed in its fork (see the next commit). Amends commit e7e55c9. Signed-off-by: Kir Kolyshkin <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Use a listener helper to bind to an available-according-to-the-kernel listening port and run a command with its stdio more or less tied to the connection instead of trying to launch a git daemon directly using a port number that we can only guess is available. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags) directly, instead of letting the runtime handle the relabeling. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Use the named constants for the status values that runtimes can report to us when we run them with the "state" command. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Tweak the wording that describes the effects of --cgroup-parent to be clear that it only affects handling of RUN instructions. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Run integration tests (both as root and rootless) with both crun and runc on Fedora, to help ensure that we can use either. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
The previous handful of commits introduced fairly massive changes to buildah, including an overhaul of the CI runtime environment itself. Because of this, several tests need adjusting to match the new reality. Signed-off-by: Chris Evich <[email protected]>
It is completely broken (see containers#4396) and is now causing failures in Fedora gating tests: https://artifacts.dev.testing-farm.io/30e7b5bc-d162-4ae7-9a60-896f0186bf73/ Signed-off-by: Ed Santiago <[email protected]>
This branch is only used as the source for RHEL releases, prune CI tests that are irrelevant for this purpose. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
A bug is present in some versions of runc (including 1.2.8) which result in the wrong number of CPU shares being used. Since the runc version may change in a future commit, but still contain the bug, simply skip the test rather than checking against the miscalculated value. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Chris Evich <[email protected]>
The -cover flag causes many 'error: coverage... ; no coverage data written' messages when GOCOVERDIR is not set. These messages needlessly clutter the test output. Remove the -cover flag. Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Update the versions of ginkgo that we build for use by our e2e tests, and the linter. Signed-off-by: Nalin Dahyabhai <[email protected]> Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Newer branches abandoned this with 198b4c3 but it was never backported to this branch. Remove the test as this is a RHEL release branch and uses a separate spec file maintained in various dist-git repos. Signed-off-by: Chris Evich <[email protected]>
cevich
force-pushed
the
release-1.26_cve_3113-52565-52881
branch
from
727c661 to
97582c3
Compare
Signed-off-by: Chris Evich <[email protected]> Assisted-by: Claude (Anthropic)
Signed-off-by: Chris Evich <[email protected]>
cevich
force-pushed
the
release-1.26_cve_3113-52565-52881
branch
from
97582c3 to
4f31f08
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind other
What this PR does / why we need it:
Backport PR #6484 & #6511
How to verify it
CI + Manual
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
(Copied from #6540)
The commits in this PR were created with the assistance of AI, from #6540. When reviewing please pay special attention to the
Bump runc to v1.2.9commit. I've included a summary in the commit message detailing the substantial changes WRT the source 6540 PR.I believe the other backport commits from 1.27 were mostly straight-forward. But it's late and I haven't had time to check carefully yet.
Does this PR introduce a user-facing change?