Release runc v1.3.3 -- "奴らに支配されていた恐怖を" · opencontainers/runc (original) (raw)

Note

Some vendors were given a pre-release version of this release.
This public release includes two extra patches to fix regressions
discovered very late during the embargo period and were thus not
included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in
  runc. When masking files, runc will bind-mount the container's /dev/null
  inode on top of the file. However, if an attacker can replace /dev/null
  with a symlink to some other procfs file, runc will instead bind-mount the
  symlink target read-write. This issue affected all known runc versions.
• CVE-2025-52565 is very similar in concept and application to
  CVE-2025-31133, except that it exploits a flaw in /dev/console
  bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n),
  if an attacker replaces /dev/pts/$n with a symlink then runc will
  bind-mount the symlink target over /dev/console. This issue affected all
  versions of runc >= 1.0.0-rc3.
• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
  which was a flaw that allowed an attacker to trick runc into writing the LSM
  process labels for a container process into a dummy tmpfs file and thus not
  apply the correct LSM labels to the container process. The mitigation we
  applied for CVE-2019-19921 was fairly limited and effectively only caused
  runc to verify that when we write LSM labels that those labels are actual
  procfs files. This issue affects all known runc versions.

Added

• runc update now supports configuring per-device weights and iops. (#4775,
  #4807, #4825, #4931)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Thanks to the following contributors for making this release possible:

• Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com
• Lei Wang ssst0n3@gmail.com
• Li Fubang lifubang@acmcoder.com
• Rodrigo Campos rodrigoca@microsoft.com
• Tõnis Tiigi tonistiigi@gmail.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com