Skip to content

Dockerfile: update runc binary to v1.3.3#51393

Merged
vvoland merged 2 commits intomoby:masterfrom
vvoland:update-runc
Nov 5, 2025
Merged

Dockerfile: update runc binary to v1.3.3#51393
vvoland merged 2 commits intomoby:masterfrom
vvoland:update-runc

Conversation

@vvoland
Copy link
Contributor

@vvoland vvoland commented Nov 5, 2025
edited
Loading

Dockerfile: update runc binary to v1.3.3

Update the version used in CI and for the static binaries.

This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881).
All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Update runc to [v1.3.3](https://github.com/opencontainers/runc/releases/tag/v1.3.3)

@vvoland vvoland self-assigned this Nov 5, 2025
@vvoland vvoland requested a review from tianon as a code owner November 5, 2025 09:57
@vvoland
Dockerfile: update runc binary to v1.3.3
35f6a78 
Update the version used in CI and for the static binaries.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.3
- full diff: opencontainers/runc@v1.3.2...v1.3.3

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
@vvoland vvoland changed the title Dockerfile: update runc binary to v1.3.2 Dockerfile: update runc binary to v1.3.3 Nov 5, 2025
@vvoland vvoland added this to the 29.0.0 milestone Nov 5, 2025
@vvoland vvoland mentioned this pull request Nov 5, 2025
Merged
@vvoland
Copy link
Contributor Author

vvoland commented Nov 5, 2025

Looks like the nofile limits set in tests are too low now due to extra reopens that runc does. I'll adjust the tests.

@vvoland
integration-cli: Adjust nofile limits
47edd80 
runc v1.3.3 needs more file descriptors now.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
thaJeztah
thaJeztah approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvoland vvoland merged commit c1cfb48 into moby:master Nov 5, 2025
288 of 292 checks passed
@Inspirational-sausage-dog Inspirational-sausage-dog mentioned this pull request Nov 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thaJeztah thaJeztah thaJeztah approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@tianon tianon Awaiting requested review from tianon tianon is a code owner

Assignees

@vvoland vvoland

Labels

area/dependencies area/packaging area/security impact/changelog kind/bugfix PR's that fix bugs

Projects

None yet

Milestone

29.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@vvoland @thaJeztah @AkihiroSuda