Skip to content

Pin back to runc v1.2 for CVE fixes#191

Merged
ystros merged 5 commits intomasterfrom
bump-runc-1.2.8
Nov 12, 2025
Merged

Pin back to runc v1.2 for CVE fixes#191
ystros merged 5 commits intomasterfrom
bump-runc-1.2.8

Conversation

@ystros
Copy link
Copy Markdown
Contributor

@ystros ystros commented Nov 12, 2025

There are currently a set of CVEs out in runc: CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881. These have been patched in runc 1.2.8, 1.3.3, and the upcoming 1.4.0.

We have been attempting to bump to runc 1.3, but problems keep arising. In the interest of getting these CVE fixes out, this PR pins back to runc 1.2. This should be safer to consume, particularly for users of bpm who need the CVE fix. We should address the upgrade to runc 1.3 separately (potentially as a new minor for bpm)

The bump to runc 1.2.8 also required us to explicitly add openat2 and statx as allowed system calls. The previous fallback behavior implemented by runc no longer seems to work in Concourse at least.

See also:

@ystros
Temporarily lock to runc v1.2.x
909fd69 
There are currently a set of CVEs out in runc: CVE-2025-31133, CVE-2025-52565,
and CVE-2025-52881. These have been patched in 1.2.8, 1.3.3, and the upcoming
1.4.0. In the interest of getting this fix out, this commit pins back to using
runc 1.2.x, as we have not had a successful run with 1.3.x yet.
@ystros
Manually bump to runc 1.2.8 go package
fc3b17a
@ystros
Revert assertions for too many files open
651c957 
This reverts the test updates in d1b9267 that
were necessary for trying to upgrade to runc 1.3.
@ystros
Bump runc blob to v1.2.8
88c4320
@ystros
Explicitly allow openat2 and statx calls
d8fa2cc 
Previously, we were relying on runc's fallback behavior for these system calls.
This started failing after upgrading to runc 1.2.8, at least in the context of
our CI containers. Adding them as allowed system calls allows runc to work as
before.

openat2 was introduced in Linux kernel 5.6, while statx was introduced in 4.15.
Explicitly allowing these calls should be fine because the oldest supported
stemcell line (Ubuntu Jammy) uses kernel 5.15.
@ystros ystros requested a review from aramprice November 12, 2025 00:32
@ystros ystros marked this pull request as ready for review November 12, 2025 18:26
@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Foundational Infrastructure Working Group Nov 12, 2025
@ragaskar ragaskar self-assigned this Nov 12, 2025
ragaskar
ragaskar approved these changes Nov 12, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@ragaskar ragaskar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ystros ystros merged commit 48c9b70 into master Nov 12, 2025
3 checks passed
@github-project-automation github-project-automation bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Nov 12, 2025
@ystros ystros deleted the bump-runc-1.2.8 branch November 12, 2025 18:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aramprice aramprice aramprice approved these changes

@ragaskar ragaskar ragaskar approved these changes

@selzoc selzoc selzoc approved these changes

Assignees

@ragaskar ragaskar

Labels

None yet

Projects

Foundational Infrastructure Working Group
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ystros @aramprice @ragaskar @selzoc