diff --git a/patch/0155-runc-fix-CVE-2025-31133.patch b/patch/0155-runc-fix-CVE-2025-31133.patch new file mode 100644 index 0000000000000000000000000000000000000000..04574eb0af347686c36e907a3f210a5dda1c3505 --- /dev/null +++ b/patch/0155-runc-fix-CVE-2025-31133.patch @@ -0,0 +1,275 @@ +From a4c5be4e46f6e211286441f7981e6bb9ab4150ce Mon Sep 17 00:00:00 2001 +From: Kir Kolyshkin +Date: Thu, 6 Mar 2025 08:19:45 -0800 +Subject: [PATCH] libct: add/use isDevNull, verifyDevNull + +The /dev/null in a container should not be trusted, because when /dev +is a bind mount, /dev/null is not created by runc itself. + +1. Add isDevNull which checks the fd minor/major and device type, + and verifyDevNull which does the stat and the check. + +2. Rewrite maskPath to open and check /dev/null, and use its fd to + perform mounts. Move the loop over the MaskPaths into the function, + and rename it to maskPaths. + +3. reOpenDevNull: use verifyDevNull and isDevNull. + +4. fixStdioPermissions: use isDevNull instead of stat. + +Conflict:yes +Refrence:https://gitee.com/src-openeuler/runc/pulls/332 + +Fixes: GHSA-9493-h29p-rfm2 CVE-2025-31133 +Co-authored-by: Rodrigo Campos +Signed-off-by: Kir Kolyshkin +Signed-off-by: Aleksa Sarai +--- + internal/sys/doc.go | 5 ++ + internal/sys/verify_inode_unix.go | 30 ++++++++++ + libcontainer/init_linux.go | 10 ++-- + libcontainer/rootfs_linux.go | 87 +++++++++++++++++++++++++---- + libcontainer/standard_init_linux.go | 7 +-- + 5 files changed, 119 insertions(+), 20 deletions(-) + create mode 100644 internal/sys/doc.go + create mode 100644 internal/sys/verify_inode_unix.go + +diff --git a/internal/sys/doc.go b/internal/sys/doc.go +new file mode 100644 +index 0000000..075387f +--- /dev/null ++++ b/internal/sys/doc.go +@@ -0,0 +1,5 @@ ++// Package sys is an internal package that contains helper methods for dealing ++// with Linux that are more complicated than basic wrappers. Basic wrappers ++// usually belong in internal/linux. If you feel something belongs in ++// libcontainer/utils or libcontainer/system, it probably belongs here instead. ++package sys +diff --git a/internal/sys/verify_inode_unix.go b/internal/sys/verify_inode_unix.go +new file mode 100644 +index 0000000..aab1216 +--- /dev/null ++++ b/internal/sys/verify_inode_unix.go +@@ -0,0 +1,30 @@ ++package sys ++ ++import ( ++ "fmt" ++ "os" ++ "runtime" ++ "syscall" ++) ++ ++// VerifyInodeFunc is the callback passed to [VerifyInode] to check if the ++// inode is the expected type (and on the correct filesystem type, in the case ++// of filesystem-specific inodes). ++type VerifyInodeFunc func(stat *syscall.Stat_t, statfs *syscall.Statfs_t) error ++ ++// VerifyInode verifies that the underlying inode for the given file matches an ++// expected inode type (possibly on a particular kind of filesystem). This is ++// mainly a wrapper around [VerifyInodeFunc]. ++func VerifyInode(file *os.File, checkFunc VerifyInodeFunc) error { ++ var stat syscall.Stat_t ++ if err := syscall.Fstat(int(file.Fd()), &stat); err != nil { ++ return fmt.Errorf("fstat %q: %w", file.Name(), err) ++ } ++ var statfs syscall.Statfs_t ++ if err := syscall.Fstatfs(int(file.Fd()), &statfs); err != nil { ++ return fmt.Errorf("fstatfs %q: %w", file.Name(), err) ++ } ++ runtime.KeepAlive(file) ++ return checkFunc(&stat, &statfs) ++} ++ +diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go +index fd417ca..38ae8ba 100644 +--- a/libcontainer/init_linux.go ++++ b/libcontainer/init_linux.go +@@ -352,10 +352,6 @@ func setupUser(config *initConfig) error { + // The ownership needs to match because it is created outside of the container and needs to be + // localized. + func fixStdioPermissions(config *initConfig, u *user.ExecUser) error { +- var null syscall.Stat_t +- if err := syscall.Stat("/dev/null", &null); err != nil { +- return err +- } + for _, fd := range []uintptr{ + os.Stdin.Fd(), + os.Stderr.Fd(), +@@ -366,8 +362,10 @@ func fixStdioPermissions(config *initConfig, u *user.ExecUser) error { + return err + } + +- // Skip chown of /dev/null if it was used as one of the STDIO fds. +- if s.Rdev == null.Rdev { ++ // Skip chown if: ++ // - uid is already the one we want, or ++ // - fd is opened to /dev/null. ++ if isDevNull(&s) { + continue + } + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index ddada6b..cab1e7c 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -4,6 +4,7 @@ + package libcontainer + + import ( ++ "errors" + "fmt" + "io" + "io/ioutil" +@@ -11,14 +12,17 @@ import ( + "os/exec" + "path" + "path/filepath" ++ "strconv" + "strings" + "syscall" + "time" ++ "golang.org/x/sys/unix" + + securejoin "github.com/cyphar/filepath-securejoin" + "github.com/docker/docker/pkg/mount" + "github.com/docker/docker/pkg/symlink" + "github.com/mrunalp/fileutils" ++ "github.com/opencontainers/runc/internal/sys" + "github.com/opencontainers/runc/libcontainer/utils" + "github.com/opencontainers/runc/libcontainer/cgroups" + "github.com/opencontainers/runc/libcontainer/configs" +@@ -483,20 +487,20 @@ func setupDevSymlinks(rootfs string) error { + // needs to be called after we chroot/pivot into the container's rootfs so that any + // symlinks are resolved locally. + func reOpenDevNull() error { +- var stat, devNullStat syscall.Stat_t + file, err := os.OpenFile("/dev/null", os.O_RDWR, 0) + if err != nil { + return fmt.Errorf("Failed to open /dev/null - %s", err) + } + defer file.Close() +- if err := syscall.Fstat(int(file.Fd()), &devNullStat); err != nil { +- return err ++ if err := verifyDevNull(file); err != nil { ++ return fmt.Errorf("can't reopen /dev/null: %w", err) + } + for fd := 0; fd < 3; fd++ { ++ var stat syscall.Stat_t + if err := syscall.Fstat(fd, &stat); err != nil { + return err + } +- if stat.Rdev == devNullStat.Rdev { ++ if isDevNull(&stat) { + // Close and re-open the fd. + if err := syscall.Dup3(int(file.Fd()), fd, 0); err != nil { + return err +@@ -829,18 +833,81 @@ func remountReadonly(m *configs.Mount) error { + return fmt.Errorf("unable to mount %s as readonly max retries reached", dest) + } + +-// maskPath masks the top of the specified path inside a container to avoid ++// Mkdev returns a Linux device number generated from the given major and minor ++// components. ++func mkdev(major, minor uint32) uint64 { ++ dev := (uint64(major) & 0x00000fff) << 8 ++ dev |= (uint64(major) & 0xfffff000) << 32 ++ dev |= (uint64(minor) & 0x000000ff) << 0 ++ dev |= (uint64(minor) & 0xffffff00) << 12 ++ return dev ++} ++ ++func isDevNull(st *syscall.Stat_t) bool { ++ return st.Mode&syscall.S_IFMT == syscall.S_IFCHR && st.Rdev == mkdev(1, 3) ++} ++ ++func verifyDevNull(f *os.File) error { ++ return sys.VerifyInode(f, func(st *syscall.Stat_t, _ *syscall.Statfs_t) error { ++ if !isDevNull(st) { ++ return fmt.Errorf("container's /dev/null is invalid") ++ } ++ return nil ++ }) ++} ++ ++// maskPaths masks the top of the specified path inside a container to avoid + // security issues from processes reading information from non-namespace aware + // mounts ( proc/kcore ). + // For files, maskPath bind mounts /dev/null over the top of the specified path. + // For directories, maskPath mounts read-only tmpfs over the top of the specified path. +-func maskPath(path string) error { +- if err := syscall.Mount("/dev/null", path, "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) { +- if err == syscall.ENOTDIR { +- return syscall.Mount("tmpfs", path, "tmpfs", syscall.MS_RDONLY, "") ++func maskPaths(paths []string) error { ++ devNull, err := os.OpenFile("/dev/null", unix.O_PATH, 0) ++ if err != nil { ++ return fmt.Errorf("can't mask paths: %w", err) ++ } ++ defer devNull.Close() ++ if err := verifyDevNull(devNull); err != nil { ++ return fmt.Errorf("can't mask paths: %w", err) ++ } ++ procSelfFd, closer := utils.ProcThreadSelf("fd/") ++ defer closer() ++ ++ for _, path := range paths { ++ // Open the target path; skip if it doesn't exist. ++ dstFh, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC, 0) ++ if err != nil { ++ if errors.Is(err, os.ErrNotExist) { ++ continue ++ } ++ return fmt.Errorf("can't mask path %q: %w", path, err) + } +- return err ++ st, err := dstFh.Stat() ++ ++ if err != nil { ++ dstFh.Close() ++ return fmt.Errorf("can't mask path %q: %w", path, err) ++ } ++ var dstType string ++ if st.IsDir() { ++ // Destination is a directory: bind mount a ro tmpfs over it. ++ dstType = "dir" ++ err = syscall.Mount("tmpfs", path, "tmpfs", syscall.MS_RDONLY, "") ++ } else { ++ // Destination is a file: mount it to /dev/null. ++ dstType = "path" ++ src, closer := utils.ProcThreadSelfFd(devNull.Fd()) ++ defer closer() ++ dstFd := filepath.Join(procSelfFd, strconv.Itoa(int(dstFh.Fd()))) ++ err = syscall.Mount(src, path, dstFd, syscall.MS_BIND, "") ++ } ++ dstFh.Close() ++ if err != nil { ++ return fmt.Errorf("can't mask %s %q: %w", dstType, path, err) ++ } ++ + } ++ + return nil + } + +diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go +index 7ebf1a2..4568717 100644 +--- a/libcontainer/standard_init_linux.go ++++ b/libcontainer/standard_init_linux.go +@@ -132,10 +132,9 @@ func (l *linuxStandardInit) Init() error { + } + } + } +- for _, path := range l.config.Config.MaskPaths { +- if err := maskPath(path); err != nil { +- return err +- } ++ ++ if err := maskPaths(l.config.Config.MaskPaths); err != nil { ++ return err + } + pdeath, err := system.GetParentDeathSignal() + if err != nil { +-- +2.43.0 + diff --git a/patch/0156-runc-fix-CVE-2025-52565.patch b/patch/0156-runc-fix-CVE-2025-52565.patch new file mode 100644 index 0000000000000000000000000000000000000000..1348ddbdf729c216f389770adac63c017ef37180 --- /dev/null +++ b/patch/0156-runc-fix-CVE-2025-52565.patch @@ -0,0 +1,148 @@ +From d8e6bf088e120670a2e39dc83f3280992690fcda Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Tue, 2 Dec 2025 17:33:28 +0800 +Subject: [PATCH] console: use TIOCGPTPEER when allocating peer PTY + +When opening the peer end of a pty, the old kernel API required us to +open /dev/pts/$num inside the container (at least since we fixed console +handling many years ago in commit 244c9fc426ae ("*: console rewrite")). + +The problem is that in a hostile container it is possible for +/dev/pts/$num to be an attacker-controlled symlink that runc can be +tricked into resolving when doing bind-mounts. This allows the attacker +to (among other things) persist /proc/... entries that are later masked +by runc, allowing an attacker to escape through the kernel.core_pattern +sysctl (/proc/sys/kernel/core_pattern). This is the original issue +reported by Lei Wang and Li Fu Bang in CVE-2025-52565. + +However, it should be noted that this is not entirely a newly-discovered +problem. Way back in Linux 4.13 (2017), I added the TIOCGPTPEER ioctl, +which allows us to get a pty peer without touching the /dev/pts inside +the container. The original threat model was around an attacker +replacing /dev/pts/$n or /dev/pts/ptmx with some malicious inode (a DoS +inode, or possibly a PTY they wanted a confused deputy to operate on). +Unfortunately, there was no practical way for runc to cache a safe +O_PATH handle to /dev/pts/ptmx (unlike other runtimes like LXC, which +switched to TIOCGPTPEER way back in 2017). Since it wasn't clear how we +could protect against the main attack TIOCGPTPEER was meant to protect +against, we never switched to it (even though I implemented it +specifically to harden container runtimes). + +Unfortunately, It turns out that mount *sources* are a threat we didn't +fully consider. Since TIOCGPTPEER already solves this problem entirely +for us in a race free way, we should just use that. In a later patch, we +will add some hardening for /dev/pts/$num opening to maintain support +for very old kernels (Linux 4.13 is very old at this point, but RHEL 7 +is still kicking and is stuck on Linux 3.10). + +Fixes: GHSA-qw9x-cqr3-wc7r CVE-2025-52565 +Reported-by: Lei Wang (CVE-2025-52565) +Reported-by: lfbzhm (CVE-2025-52565) +Reported-by: Aleksa Sarai (TIOCGPTPEER) +Signed-off-by: Aleksa Sarai +--- + libcontainer/console_linux.go | 40 +++++++++++++++++++++++++------- + libcontainer/utils/utils_unix.go | 23 ++++++++++++++++++ + 2 files changed, 55 insertions(+), 8 deletions(-) + +diff --git a/libcontainer/console_linux.go b/libcontainer/console_linux.go +index 5927bdc..5e3c42d 100644 +--- a/libcontainer/console_linux.go ++++ b/libcontainer/console_linux.go +@@ -5,6 +5,7 @@ import ( + "os" + "unsafe" + ++ "github.com/opencontainers/runc/libcontainer/utils" + "golang.org/x/sys/unix" + ) + +@@ -66,16 +67,39 @@ func (c *linuxConsole) Close() error { + // mount initializes the console inside the rootfs mounting with the specified mount label + // and applying the correct ownership of the console. + func (c *linuxConsole) mount() error { +- oldMask := unix.Umask(0000) +- defer unix.Umask(oldMask) +- f, err := os.Create("/dev/console") +- if err != nil && !os.IsExist(err) { +- return err ++ console, err := os.OpenFile("/dev/console", unix.O_NOFOLLOW|unix.O_CREAT|unix.O_CLOEXEC, 0o666) ++ if err != nil { ++ return fmt.Errorf("create /dev/console mount target: %w", err) ++ } ++ defer console.Close() ++ ++ dstFd, closer1 := utils.ProcThreadSelfFd(console.Fd()) ++ defer closer1() ++ ++ isMount, err := utils.IsRealMountPoint(c.slavePath) ++ if err != nil || isMount { ++ return fmt.Errorf("slavePath is unsafe mountpoint %s: %w", c.slavePath, err) ++ } ++ peerPty, err := c.open(unix.O_RDWR | unix.O_NOCTTY | unix.O_CLOEXEC) ++ if err != nil { ++ return nil ++ } ++ src, closer := utils.ProcThreadSelfFd(peerPty.Fd()) ++ defer closer() ++ return consoleMount(src, "/dev/console", dstFd, "bind", unix.MS_BIND, "") ++} ++ ++// mount is a simple unix.Mount wrapper. If procfd is not empty, it is used ++// instead of target (and the target is only used to add context to an error). ++func consoleMount(source, target, peerPtyFd, fstype string, flags uintptr, data string) error { ++ dst := target ++ if peerPtyFd != "" { ++ dst = peerPtyFd + } +- if f != nil { +- f.Close() ++ if err := unix.Mount(source, dst, fstype, flags, data); err != nil { ++ return err + } +- return unix.Mount(c.slavePath, "/dev/console", "bind", unix.MS_BIND, "") ++ return nil + } + + // dupStdio opens the slavePath for the console and dups the fds to the current +diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go +index a19f17c..ffd77da 100644 +--- a/libcontainer/utils/utils_unix.go ++++ b/libcontainer/utils/utils_unix.go +@@ -14,6 +14,7 @@ import ( + "strconv" + "strings" + "sync" ++ "syscall" + _ "unsafe" // for go:linkname + + "github.com/Sirupsen/logrus" +@@ -388,3 +389,25 @@ func MkdirAllInRoot(root, unsafePath string, mode uint32) error { + } + return err + } ++ ++// Determine if a path has a mount point. ++func IsRealMountPoint(path string) (bool, error) { ++ stat, err := os.Stat(path) ++ if err != nil { ++ return false, fmt.Errorf("fail to get %s stat: %v", path, err) ++ } ++ ++ parentDir := filepath.Dir(path) ++ ++ parentStat, err := os.Stat(parentDir) ++ if err != nil { ++ return false, fmt.Errorf("fail to get parent path %s stat: %v", parentDir, err) ++ } ++ ++ targetInode := stat.Sys().(*syscall.Stat_t).Dev ++ parentInode := parentStat.Sys().(*syscall.Stat_t).Dev ++ if targetInode != parentInode { ++ return true, nil ++ } ++ return false, nil ++} +-- +2.33.0 + diff --git a/patch/0157-runc-fix-CVE-2025-52881.patch b/patch/0157-runc-fix-CVE-2025-52881.patch new file mode 100644 index 0000000000000000000000000000000000000000..077af8cf41ebe36ecb1a8d2dcaa6724440bd4334 --- /dev/null +++ b/patch/0157-runc-fix-CVE-2025-52881.patch @@ -0,0 +1,147 @@ +From 3907be50564362ffc0a6eb45e8a6d2f1c5977060 Mon Sep 17 00:00:00 2001 +From: root +Date: Tue, 2 Dec 2025 20:11:58 +0800 +Subject: [PATCH] selinux: use safe procfs API for labels + +Due to the sensitive nature of these fixes, it was not possible to +submit these upstream and vendor the upstream library. Instead, this +patch uses a fork of github.com/opencontainers/selinux, branched at +commit opencontainers/selinux@879a755db558501df06f4ea59461ebc2d0c4a991. + +In order to permit downstreams to build with this patched version, a +snapshot of the forked version has been included in +internal/third_party/selinux. Note that since we use "go mod vendor", +the patched code is usable even without being "go get"-able. Once the +embargo for this issue is lifted we can submit the patches upstream and +switch back to a proper upstream go.mod entry. + +Also, this requires us to temporarily disable the CI job we have that +disallows "replace" directives. + +Fixes: GHSA-cgrx-mc8f-2prm CVE-2025-52881 +Signed-off-by: Aleksa Sarai +--- + libcontainer/rootfs_linux.go | 7 +++- + libcontainer/utils/utils_unix.go | 29 ++++++++++++++ + .../selinux/go-selinux/selinux.go | 39 +++++++++++++++++++ + 3 files changed, 74 insertions(+), 1 deletion(-) + +diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go +index cab1e7c..eb6d3b8 100644 +--- a/libcontainer/rootfs_linux.go ++++ b/libcontainer/rootfs_linux.go +@@ -915,7 +915,12 @@ func maskPaths(paths []string) error { + // For e.g. net.ipv4.ip_forward translated to /proc/sys/net/ipv4/ip_forward. + func writeSystemProperty(key, value string) error { + keyPath := strings.Replace(key, ".", "/", -1) +- return ioutil.WriteFile(path.Join("/proc/sys", keyPath), []byte(value), 0644) ++ fullPath := path.Join("/proc/sys", keyPath) ++ isMount, err := utils.IsMountPoint(fullPath) ++ if err != nil || isMount { ++ return fmt.Errorf("refusing to write %s: %w", keyPath, err) ++ } ++ return ioutil.WriteFile(fullPath, []byte(value), 0644) + } + + func remount(m *configs.Mount, rootfs string) error { +diff --git a/libcontainer/utils/utils_unix.go b/libcontainer/utils/utils_unix.go +index ffd77da..1dfec46 100644 +--- a/libcontainer/utils/utils_unix.go ++++ b/libcontainer/utils/utils_unix.go +@@ -281,6 +281,35 @@ func ProcThreadSelfFd(fd uintptr) (string, ProcThreadSelfCloser) { + return ProcThreadSelf("fd/" + strconv.FormatUint(uint64(fd), 10)) + } + ++// Determine if a path has a mount point. ++func IsMountPoint(path string) (bool, error) { ++ newPath := path ++ for newPath != "/" { ++ stat, err := os.Stat(newPath) ++ if err != nil { ++ return false, fmt.Errorf("fail to get %s stat: %v", newPath, err) ++ } ++ ++ parentDir := filepath.Dir(newPath) ++ if parentDir == "/" { ++ return false, nil ++ } ++ ++ parentStat, err := os.Stat(parentDir) ++ if err != nil { ++ return false, fmt.Errorf("fail to get parent path %s stat: %v", parentDir, err) ++ } ++ ++ targetInode := stat.Sys().(*syscall.Stat_t).Dev ++ parentInode := parentStat.Sys().(*syscall.Stat_t).Dev ++ if targetInode != parentInode { ++ return true, nil ++ } ++ newPath = parentDir ++ } ++ return false, nil ++} ++ + // MkdirAllInRootOpen attempts to make + // + // path, _ := securejoin.SecureJoin(root, unsafePath) +diff --git a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go +index 4cf2c45..99efb31 100644 +--- a/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go ++++ b/vendor/github.com/opencontainers/selinux/go-selinux/selinux.go +@@ -198,6 +198,11 @@ func getSELinuxPolicyRoot() string { + func readCon(name string) (string, error) { + var val string + ++ isMount, err := isMountPoint(name) ++ if err != nil || isMount { ++ return "", fmt.Errorf("refusing to read %s: %w", name, err) ++ } ++ + in, err := os.Open(name) + if err != nil { + return "", err +@@ -260,7 +265,41 @@ func ExecLabel() (string, error) { + return readCon(fmt.Sprintf("/proc/self/task/%d/attr/exec", syscall.Gettid())) + } + ++// Determine if a path has a mount point. ++func isMountPoint(path string) (bool, error) { ++ newPath := path ++ for newPath != "/" { ++ stat, err := os.Stat(newPath) ++ if err != nil { ++ return false, fmt.Errorf("fail to get %s stat: %v", newPath, err) ++ } ++ ++ parentDir := filepath.Dir(newPath) ++ if parentDir == "/" { ++ return false, nil ++ } ++ ++ parentStat, err := os.Stat(parentDir) ++ if err != nil { ++ return false, fmt.Errorf("fail to get parent path %s stat: %v", parentDir, err) ++ } ++ ++ targetInode := stat.Sys().(*syscall.Stat_t).Dev ++ parentInode := parentStat.Sys().(*syscall.Stat_t).Dev ++ if targetInode != parentInode { ++ return true, nil ++ } ++ newPath = parentDir ++ } ++ return false, nil ++} ++ + func writeCon(name string, val string) error { ++ isMount, err := isMountPoint(name) ++ if err != nil || isMount { ++ return fmt.Errorf("refusing to write %s: %w", name, err) ++ } ++ + out, err := os.OpenFile(name, os.O_WRONLY, 0) + if err != nil { + return err +-- +2.43.0 + diff --git a/runc.spec b/runc.spec index a1e30011a0f29cdf30edb122e564bb340b151879..b7363dd2936e4a80329651c398d3ca7aafe953d2 100644 --- a/runc.spec +++ b/runc.spec @@ -2,7 +2,7 @@ Name: docker-runc Version: 1.0.0.rc3 -Release: 228 +Release: 229 Summary: runc is a CLI tool for spawning and running containers according to the OCI specification. License: ASL 2.0 @@ -41,6 +41,12 @@ install -p -m 755 runc $RPM_BUILD_ROOT/%{_bindir}/runc %{_bindir}/runc %changelog +* Wed Dec 03 2025 dongyuzhen - 1.0.0.rc3-229 +- Type:CVE +- CVE:NA +- SUG:NA +- DESC:fix CVE-2025-31133 and CVE-2025-52565 and CVE-2025-52881 + * Tue Sep 10 2024 Song Zhang - 1.0.0.rc3-228 - Type:CVE - CVE:CVE-2024-45310 diff --git a/series.conf b/series.conf index 486ee0b24d15e7d9b0932d9e6020817b9adf4b34..b8809ae38b9f3dc96670ee4f2cab4eeab02c8ec1 100644 --- a/series.conf +++ b/series.conf @@ -146,3 +146,6 @@ 0152-runc-do-not-support-set-umask-through-native.umask.patch 0153-runc-format-log-instead-panic-when-procError-missing.patch 0154-rootfs-try-to-scope-MkdirAll-to-stay-inside-the-root.patch +0155-runc-fix-CVE-2025-31133.patch +0156-runc-fix-CVE-2025-52565.patch +0157-runc-fix-CVE-2025-52881.patch