Control: tag -1 trixie bookworm Salvatore Bonaccorso <[email protected]> writes:
> Source: runc > Version: 1.3.2+ds1-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > Control: found -1 1.1.15+ds1-2 > > Hi, > > The following vulnerabilities were published for runc. > > CVE-2025-31133[0], CVE-2025-52565[1] and CVE-2025-52881[2]. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2025-31133 > https://www.cve.org/CVERecord?id=CVE-2025-31133 > [1] https://security-tracker.debian.org/tracker/CVE-2025-52565 > https://www.cve.org/CVERecord?id=CVE-2025-52565 > [2] https://security-tracker.debian.org/tracker/CVE-2025-52881 > https://www.cve.org/CVERecord?id=CVE-2025-52881 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore Hi Salvatore (and everyone else CCed), I've taken a close look at the backport situation for Trixie (runc 1.1.15+ds1-2) and checked other distributions. The upstream patches (squashed tarball from https://seclists.org/oss-sec/2025/q4/138 attachment runc-patches-2025-11-05.tar.xz, applying to 1.2.7+) do not work cleanly on 1.1.15 due to refactors in 1.2 (e.g., openat2, cgroup v2, securejoin). Trixie summary: - ~70-80% of the ~20 patches conflict (e.g., in libcontainer/rootfs_linux.go, nsenter). - Requires bumping golang-github-cyphar-filepath-securejoin-dev, risking reverse dep breaks. - Effort: 80-150 hours over weeks for a tested backport. Other distros (as of 2025-12-03; no 1.1.15 backports found): Distribution Old version in LTS/old-stable Fix strategy + reference -------------------------------------------------------------------------------- Ubuntu 22.04 / 24.04 1.0.x / 1.1.12 Upgrade to 1.3.3 https://ubuntu.com/security/notices/USN-7851-1 https://ubuntu.com/security/notices/USN-7851-2 RHEL 8 / 9 1.2.5 Custom backports to 1.2.5 https://access.redhat.com/errata/RHSA-2025:19927 SUSE SLE 15 ~1.1.x Upgrade to 1.2.7 https://www.suse.com/support/update/announcement/2025/suse-su-20253951-1/ Fedora 41 1.1.x Upgrade to 1.3.3 https://lists.fedoraproject.org/archives/list/[email protected]/message/OROGIHQBV5TR2WUJZV5N4SOGYPXGKM5P/ I lack bandwidth for this (day job + other packages). As far as I can tell, all the issues are addressed in experimental/unstable/testing with 1.3.3+ds1-2. Options for Debian: - Full backport to 1.1.15 (expensive, no distro precedent). - Bump Trixie to 1.2.8/1.3.3 (i.e., introduce new source "runc-app that produces the `runc` binary", like Ubuntu). - Declare 1.1.x unsupported in Trixie; recommend podman/crun (which is a re-implementation of runc in C) Salvatore, Gianfranco, Jochen, Shengjing Zhu: Please do share your opinions and chime in on the best way forward here. Thanks, Reinhard
