[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1120140: runc: CVE-2025-31133 CVE-2025-52565 CVE-2025-52881

Control: tag -1 trixie bookworm

Salvatore Bonaccorso <carnil@debian.org> writes:

> Source: runc
> Version: 1.3.2+ds1-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 1.1.15+ds1-2
>
> Hi,
>
> The following vulnerabilities were published for runc.
>
> CVE-2025-31133[0], CVE-2025-52565[1] and CVE-2025-52881[2].
>
>
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-31133
>     https://www.cve.org/CVERecord?id=CVE-2025-31133
> [1] https://security-tracker.debian.org/tracker/CVE-2025-52565
>     https://www.cve.org/CVERecord?id=CVE-2025-52565
> [2] https://security-tracker.debian.org/tracker/CVE-2025-52881
>     https://www.cve.org/CVERecord?id=CVE-2025-52881
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore


Hi Salvatore (and everyone else CCed),

I've taken a close look at the backport situation for Trixie (runc
1.1.15+ds1-2) and checked other distributions. The upstream patches
(squashed tarball from https://seclists.org/oss-sec/2025/q4/138
attachment runc-patches-2025-11-05.tar.xz, applying to 1.2.7+) do not
work cleanly on 1.1.15 due to refactors in 1.2 (e.g., openat2, cgroup
v2, securejoin).

Trixie summary:

- ~70-80% of the ~20 patches conflict (e.g., in libcontainer/rootfs_linux.go, nsenter).
- Requires bumping golang-github-cyphar-filepath-securejoin-dev, risking reverse dep breaks.
- Effort: 80-150 hours over weeks for a tested backport.

Other distros (as of 2025-12-03; no 1.1.15 backports found):

Distribution           Old version in LTS/old-stable   Fix strategy + reference
--------------------------------------------------------------------------------
Ubuntu 22.04 / 24.04   1.0.x / 1.1.12                  Upgrade to 1.3.3
                       https://ubuntu.com/security/notices/USN-7851-1
                       https://ubuntu.com/security/notices/USN-7851-2

RHEL 8 / 9             1.2.5                           Custom backports to 1.2.5
                       https://access.redhat.com/errata/RHSA-2025:19927

SUSE SLE 15            ~1.1.x                          Upgrade to 1.2.7
                       https://www.suse.com/support/update/announcement/2025/suse-su-20253951-1/


Fedora 41              1.1.x                           Upgrade to 1.3.3
                       https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OROGIHQBV5TR2WUJZV5N4SOGYPXGKM5P/

I lack bandwidth for this (day job + other packages). As far as I can
tell, all the issues are addressed in experimental/unstable/testing with
1.3.3+ds1-2.

Options for Debian:

- Full backport to 1.1.15 (expensive, no distro precedent).
- Bump Trixie to 1.2.8/1.3.3 (i.e., introduce new source "runc-app that produces the `runc` binary", like Ubuntu).
- Declare 1.1.x unsupported in Trixie; recommend podman/crun (which is a re-implementation of runc in C)

Salvatore, Gianfranco, Jochen, Shengjing Zhu: Please do share your
opinions and chime in on the best way forward here.

Thanks,
Reinhard
Reply to: