Skip to content

Commit 2791007

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #27471 from TomSweeneyRedHat/dev/tsweeney/cve-2025-52881-v5.6-rhel
[v5.6-rhel] Bump runc to v1.3.3 - CVE-2025-52881
2 parents 1cf61c4 + 90eeef7 commit 2791007

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

58 files changed

+3730
-1050
lines changed

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ require (
2323
github.com/containers/winquit v1.1.0
2424
github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
2525
github.com/crc-org/vfkit v0.6.1
26-
github.com/cyphar/filepath-securejoin v0.4.1
26+
github.com/cyphar/filepath-securejoin v0.5.1
2727
github.com/digitalocean/go-qemu v0.0.0-20250212194115-ee9b0668d242
2828
github.com/docker/distribution v2.8.3+incompatible
2929
github.com/docker/docker v28.3.3+incompatible
@@ -146,7 +146,7 @@ require (
146146
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
147147
github.com/modern-go/reflect2 v1.0.2 // indirect
148148
github.com/morikuni/aec v1.0.0 // indirect
149-
github.com/opencontainers/runc v1.3.0 // indirect
149+
github.com/opencontainers/runc v1.3.3 // indirect
150150
github.com/pkg/errors v0.9.1 // indirect
151151
github.com/pkg/sftp v1.13.9 // indirect
152152
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -99,8 +99,8 @@ github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
9999
github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
100100
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h1:uX1JmpONuD549D73r6cgnxyUu18Zb7yHAy5AYU0Pm4Q=
101101
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
102-
github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
103-
github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
102+
github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
103+
github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
104104
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
105105
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
106106
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -329,8 +329,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
329329
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
330330
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
331331
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
332-
github.com/opencontainers/runc v1.3.0 h1:cvP7xbEvD0QQAs0nZKLzkVog2OPZhI/V2w3WmTmUSXI=
333-
github.com/opencontainers/runc v1.3.0/go.mod h1:9wbWt42gV+KRxKRVVugNP6D5+PQciRbenB4fLVsqGPs=
332+
github.com/opencontainers/runc v1.3.3 h1:qlmBbbhu+yY0QM7jqfuat7M1H3/iXjju3VkP9lkFQr4=
333+
github.com/opencontainers/runc v1.3.3/go.mod h1:D7rL72gfWxVs9cJ2/AayxB0Hlvn9g0gaF1R7uunumSI=
334334
github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
335335
github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
336336
github.com/opencontainers/runtime-tools v0.9.1-0.20250523060157-0ea5ed0382a2 h1:2xZEHOdeQBV6PW8ZtimN863bIOl7OCW/X10K0cnxKeA=

libpod/container_internal_linux.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ import (
2121
"github.com/containers/podman/v5/libpod/define"
2222
"github.com/containers/podman/v5/libpod/shutdown"
2323
"github.com/containers/podman/v5/pkg/rootless"
24-
securejoin "github.com/cyphar/filepath-securejoin"
24+
"github.com/cyphar/filepath-securejoin/pathrs-lite"
2525
"github.com/moby/sys/capability"
2626
spec "github.com/opencontainers/runtime-spec/specs-go"
2727
"github.com/opencontainers/runtime-tools/generate"
@@ -741,7 +741,7 @@ func (s *safeMountInfo) Close() {
741741
// The caller is responsible for closing the file descriptor and unmounting the subpath
742742
// when it's no longer needed.
743743
func (c *Container) safeMountSubPath(mountPoint, subpath string) (s *safeMountInfo, err error) {
744-
file, err := securejoin.OpenInRoot(mountPoint, subpath)
744+
file, err := pathrs.OpenInRoot(mountPoint, subpath)
745745
if err != nil {
746746
return nil, err
747747
}
@@ -834,7 +834,7 @@ var hasCapSysResource = sync.OnceValues(func() (bool, error) {
834834

835835
// containerPathIsFile returns true if the given containerPath is a file
836836
func containerPathIsFile(unsafeRoot string, containerPath string) (bool, error) {
837-
f, err := securejoin.OpenInRoot(unsafeRoot, containerPath)
837+
f, err := pathrs.OpenInRoot(unsafeRoot, containerPath)
838838
if err != nil {
839839
return false, err
840840
}

pkg/domain/infra/abi/play_linux.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,14 @@ package abi
55
import (
66
"os"
77

8-
securejoin "github.com/cyphar/filepath-securejoin"
8+
"github.com/cyphar/filepath-securejoin/pathrs-lite"
99
)
1010

1111
// openSymlinkPath opens the path under root using securejoin.OpenatInRoot().
1212
func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
13-
file, err := securejoin.OpenatInRoot(root, unsafePath)
13+
file, err := pathrs.OpenatInRoot(root, unsafePath)
1414
if err != nil {
1515
return nil, err
1616
}
17-
return securejoin.Reopen(file, flags)
17+
return pathrs.Reopen(file, flags)
1818
}

vendor/github.com/cyphar/filepath-securejoin/.golangci.yml

Lines changed: 56 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md

Lines changed: 150 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)