Skip to content

[release-1.21] Bump runc to v1.2.9 - CVE-2025-52881 #6522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TomSweeneyRedHat merged 38 commits into from
Jan 20, 2026
Merged

[release-1.21] Bump runc to v1.2.9 - CVE-2025-52881 #6522

TomSweeneyRedHat merged 38 commits into from
Jan 20, 2026

Conversation

@dashea
Copy link

@dashea dashea commented Nov 20, 2025

What type of PR is this?

/kind other

What this PR does / why we need it:

Bump runc to v1.2.8, to address CVE-2025-52881. This is a huge jump, but this version of runc is the earliest that contains a fix for this CVE.

Which issue(s) this PR fixes:

This also fixes CVE-2025-31133 and CVE-2025-52565.

Fixes RHEL-126918.

How to verify it

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

[NO NEW TESTS NEEDED]

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 20, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dashea
Once this PR has been reviewed and has the lgtm label, please assign lsm5 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dashea @nalind
Bump runc to v1.2.9 - CVE-2025-52881
45b0369 
Also update containers/storage to handle changes in the runc API.

Fixes: https://issues.redhat.com/browse/RHEL-126918

Signed-off-by: David Shea <dshea@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch 11 times, most recently from 9f4ef97 to d0fd160 Compare December 11, 2025 20:09
nalind and others added 16 commits December 11, 2025 15:20
@nalind
Makefile: drop non-Linux cross-compile targets
ff1e3ab 
The updated libcontainer (part of runc) doesn't compile as cleanly on
non-Linux platforms.  We could work around some of the types not being
defined on those platforms, as we do in later branches, but for now, and
unless we need to for downstream consumers, this gets us to passing CI
faster.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Update golang.org/x/tools to v0.26.0
d6bdc6e 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
tests/tools: update ginkgo and golangci-lint
970cb06 
Update the versions of ginkgo that we build for use by our e2e tests,
and the linter.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Update other dependencies
08746fd 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@dashea @nalind
Update go-selinux uses to handle API changes
7b58dd4 
Signed-off-by: David Shea <dshea@redhat.com>
@dashea @nalind
Switch to moby/sys/userns for RunningInUserNS
e82cf4b 
Signed-off-by: David Shea <dshea@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@dashea @nalind
Bump CI environment
d53a7ca 
Signed-off-by: David Shea <dshea@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
CI: switch to debian for testing there
4e6abc5 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Handle errors.Cause() returning not-completely-unwrapped errors
42ad38c 
The github.com/pkg/errors.Cause() function didn't call Unwrap(), so
directly comparing its returned value with specific errors could fail.
Compensate for that by using errors.Is() or errors.As() where possible.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Update to compensate for containers/common API changes
b811a79 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@vrothberg @nalind
use c/image/pkg/blobcache
c762d12 
Buildah's pkg/blobcache has been moved into containers/image [1] to
consolidate implementations of interfaces such as image destinations
and image sources.

Since there are no functional changes: [NO NEW TESTS NEEDED]

[1] containers/image#1459

Signed-off-by: Valentin Rothberg <vrothberg@redhat.com>
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
tests/serve/serve.go: use a kernel-assigned port
7428289 
When firing up a minimal server to serve up content so that we can
retrieve it using HTTP, make it possible to let the kernel assign us
which port to use, so that the script that's calling us doesn't have to
make a(n occasionally bad) guess.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Update linter configuration and address some warnings
b00a2c8 
Update linter configuration to more closely align with main.  Address
some linter warnings, mark some others to be ignored.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@cevich @nalind
Don't set ambient capabilities
323e72f 
Ambient capabilities can't be raised without inheritable ones, and since we
don't raise inheritable, we should not raise ambient either.

This went unnoticed because of a bug in syndtr/gocapability which is
only fixed in its fork (see the next commit).

Amends commit e7e55c9.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

Signed-off-by: Chris Evich <cevich@redhat.com>
Assisted-by: Claude (Anthropic)
@nalind
Stop setting "parent" in docker format
40dc9c4 
Newer docker build doesn't set it, so we need to stop.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
commit: set "parent" for docker format only when requested
ff26722 
Make setting the Parent field in the config blob of a docker format
image optional (yes, we're bringing it back!), since it no longer
appears to be set by newer versions of docker build.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
nalind and others added 9 commits December 12, 2025 19:16
@nalind
Backport permissions fixup for test git server from containers#5550
19a87af 
Backport a fixup of the permissions of the testing git repository that
we use when checking that we can clone repositories when building,
because I generated the tarball of the contents with myself as the
owner, instead of root, and newer git thinks that looks suspect.

Ed fixed this on main a while ago.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
run: handle relabeling bind mounts ourselves
0fada24 
Handle requested relabeling of bind mounts (i.e., the "z" and "Z" flags)
directly, instead of letting the runtime handle the relabeling.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@cevich @nalind
Add a dummy "runtime" that just dumps its config file
61689d3 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

Signed-off-by: Chris Evich <cevich@redhat.com>
Assisted-by: Claude (Anthropic)
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
runUsingRuntime: use named constants for runtime states
9d66768 
Use the named constants for the status values that runtimes can report
to us when we run them with the "state" command.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Update the selinux spc test
14795b1 
Pick up the test updates from containers#4829, where we learned that disabling
SELinux process labeling in a non-privileged context doesn't result in
the container process being granted super privileges.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
bud --pull=false --arch test: accept either RPM or Go arch names
d1571b6 
When checking the not-standardized "architecture" label in the ubi8 base
image, accept either the RPM-recognized value (x86_64, aarch64) or Go
value (amd64, arm64), because it seems to have changed at least once.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
Add /usr/lib/cni to define.DefaultCNIPluginPath
74d6858 
Add /usr/lib/cni, which is where Debian packages
containernetworking-plugins, to the default set of paths we search for
CNI plugins.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
from add-host test: accept either tabs or spaces in /etc/hosts
aacef2b 
When checking that the /etc/hosts entry that we add looks right, accept
either tabs or spaces separating the IP address from the hostname, since
we actually use tabs.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind
run: fix nil deref using the option's logger (from containers#3431)
116af5e 
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch from d0fd160 to 7a63373 Compare January 9, 2026 20:18
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Jan 9, 2026
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch 3 times, most recently from fb62e78 to 8bbab84 Compare January 15, 2026 14:28
@nalind @dashea
[release-1.21] Partially work around containers/common
0b7f500 
 ... setting RLIMIT_NPROC wrong

The version of containers/common we're currently using on this branch included a
bug which was later fixed by containers/common#2199.
If we get an update on its v0.60 branch which includes that fix, we can
drop this patch from this branch, but until then, work around the part
that breaks our tests.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch 3 times, most recently from 4ee7d60 to 64d2811 Compare January 16, 2026 16:15
nalind added 2 commits January 20, 2026 13:39
@nalind @dashea
copier.unwrapError(): update for Go 1.16
f5be585 
Since we started calling into the standard library's io/fs package
directly, we effectively made Go 1.16 our minimum Go version, so we
don't need to keep the workaround for compiling with Go 1.12.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@nalind @dashea
copier test: use correct UID/GID in test archives
ff99ef4 
Handing Put() an archive which uses host IDs while also including ID
maps for mapping from container IDs to host IDs is a mistake, and the
tests have been failing when run by non-root users since storage v1.38
started flagging it as such.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch from 64d2811 to 1b2fbc1 Compare January 20, 2026 18:42
@dashea
Bump the version to 1.21.6
36e881e 
Signed-off-by: David Shea <dshea@redhat.com>
@dashea dashea force-pushed the dshea-release-1.21-runc-update branch from 1b2fbc1 to 36e881e Compare January 20, 2026 18:44
@nalind
Copy link
Member

nalind commented Jan 20, 2026

LGTM, thanks!

@TomSweeneyRedHat TomSweeneyRedHat changed the title [release-1.21] Bump runc to v1.2.8 - CVE-2025-52881 [release-1.21] Bump runc to v1.2.9 - CVE-2025-52881 Jan 20, 2026
@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Jan 20, 2026

FYI, I tweaked the title of the PR from runc 1.2.8 to 1.2.9.

@nalind nalind mentioned this pull request Jan 20, 2026
Closed
@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Jan 20, 2026

LGTM

@TomSweeneyRedHat
Copy link
Member

TomSweeneyRedHat commented Jan 20, 2026

/lgtm

@TomSweeneyRedHat TomSweeneyRedHat merged commit 1949a14 into containers:release-1.21 Jan 20, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind/other size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dashea @nalind @TomSweeneyRedHat @vrothberg @cevich