ory
chore(deps): bump github.com/opencontainers/runc from 1.2.6 to 1.3.3
Bumps github.com/opencontainers/runc from 1.2.6 to 1.3.3.
Release notes
Sourced from github.com/opencontainers/runc's releases.
runc v1.3.3 -- "奴らに支配されていた恐怖を"
[!NOTE] Some vendors were given a pre-release version of this release. This public release includes two extra patches to fix regressions discovered very late during the embargo period and were thus not included in the pre-release versions. Please update to this version.
This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary
/procfiles.Security
CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's
/dev/nullinode on top of the file. However, if an attacker can replace/dev/nullwith a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in
/dev/consolebind-mounts. When creating the/dev/consolebind-mount (to/dev/pts/$n), if an attacker replaces/dev/pts/$nwith a symlink then runc will bind-mount the symlink target over/dev/console. This issue affected all versions of runc >= 1.0.0-rc3.CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.
Added
Static Linking Notices
The
runcbinary distributed with this release are statically linked with the following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, withruncacting
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
[1.3.3] - 2025-11-05
奴らに支配されていた恐怖を
Security
This release includes fixes for the following high-severity security issues:
CVE-2025-31133 exploits an issue with how masked paths are implemented in runc. When masking files, runc will bind-mount the container's
/dev/nullinode on top of the file. However, if an attacker can replace/dev/nullwith a symlink to some other procfs file, runc will instead bind-mount the symlink target read-write. This issue affected all known runc versions.CVE-2025-52565 is very similar in concept and application to CVE-2025-31133, except that it exploits a flaw in
/dev/consolebind-mounts. When creating the/dev/consolebind-mount (to/dev/pts/$n), if an attacker replaces/dev/pts/$nwith a symlink then runc will bind-mount the symlink target over/dev/console. This issue affected all versions of runc >= 1.0.0-rc3.CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921, which was a flaw that allowed an attacker to trick runc into writing the LSM process labels for a container process into a dummy tmpfs file and thus not apply the correct LSM labels to the container process. The mitigation we applied for CVE-2019-19921 was fairly limited and effectively only caused runc to verify that when we write LSM labels that those labels are actual procfs files. This issue affects all known runc versions.
Added
[1.3.2] - 2025-10-02
Ночь, улица, фонарь, аптека...
Changed
- The conversion from cgroup v1 CPU shares to cgroup v2 CPU weight is improved to better fit default v1 and v2 values. (#4772, #4785, #4897)
- Dependency github.com/opencontainers/cgroups updated from v0.0.1 to v0.0.4. (#4897)
Fixed
... (truncated)
Commits
d842d77VERSION: release v1.3.3b370bafmerge private security patches into ghsa-release-1.3.34edba17rootfs: re-allow dangling symlinks in mount targetsaca52c4openat2: improve resilience on busy systems8b7e3d7merge #4931 into opencontainers/runc:release-1.32e82e55tests: bfq: skip tests on misbehaving udev systemsf1627a7tests: clean up loopback devices properly178e03ctests/int/update: fix getting block majorf14cad5runc update: handle duplicated devs properly80da60erunc update: support per-device weight and iops- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "Published by a pub.dev verified publisher"){kind=small}
