Upgrade runc to v1.3.3

[Shubhranshu153]

Upgrade Runc in the release artifact for security release

CVE-2025-31133 exploits an issue with how masked paths are implemented in
runc. When masking files, runc will bind-mount the container's /dev/null
inode on top of the file. However, if an attacker can replace /dev/null
with a symlink to some other procfs file, runc will instead bind-mount the
symlink target read-write. This issue affected all known runc versions.

CVE-2025-52565 is very similar in concept and application to
CVE-2025-31133, except that it exploits a flaw in /dev/console
bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n),
if an attacker replaces /dev/pts/$n with a symlink then runc will
bind-mount the symlink target over /dev/console. This issue affected all
versions of runc >= 1.0.0-rc3.

CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
which was a flaw that allowed an attacker to trick runc into writing the LSM
process labels for a container process into a dummy tmpfs file and thus not
apply the correct LSM labels to the container process. The mitigation we
applied for CVE-2019-19921 was fairly limited and effectively only caused
runc to verify that when we write LSM labels that those labels are actual
procfs files. This issue affects all known runc versions.

[AkihiroSuda]

Thanks