mirror of
https://github.com/opencontainers/runc.git
synced 2026-02-05 18:45:28 +01:00
b370bafce9
Aleksa Sarai (22): rootfs: re-allow dangling symlinks in mount targets openat2: improve resilience on busy systems selinux: use safe procfs API for labels rootfs: switch to fd-based handling of mountpoint targets libct/system: use securejoin for /proc/$pid/stat init: use securejoin for /proc/self/setgroups init: write sysctls using safe procfs API utils: remove unneeded EnsureProcHandle utils: use safe procfs for /proc/self/fd loop code apparmor: use safe procfs API for labels ci: add lint to forbid the usage of os.Create rootfs: avoid using os.Create for new device inodes internal: add wrappers for securejoin.Proc* go.mod: update to github.com/cyphar/filepath-securejoin@v0.5.0 console: verify /dev/pts/ptmx before use console: avoid trivial symlink attacks for /dev/console console: add fallback for pre-TIOCGPTPEER kernels console: use TIOCGPTPEER when allocating peer PTY *: switch to safer securejoin.Reopen internal: move utils.MkdirAllInRoot to internal/pathrs internal/sys: add VerifyInode helper internal: linux: add package doc-comment Li Fubang (1): libct: align param type for mountCgroupV1/V2 functions Kir Kolyshkin (3): libct: maskPaths: don't rely on ENOTDIR for mount libct: maskPaths: only ignore ENOENT on mount dest libct: add/use isDevNull, verifyDevNull Fixes: CVE-2025-31133 GHSA-9493-h29p-rfm2 Fixes: CVE-2025-52565 GHSA-qw9x-cqr3-wc7r Fixes: CVE-2025-52881 GHSA-cgrx-mc8f-2prm Reported-by: Lei Wang <ssst0n3@gmail.com> Reported-by: Li Fubang <lifubang@acmcoder.com> Reported-by: Tõnis Tiigi <tonistiigi@gmail.com> Reported-by: Aleksa Sarai <cyphar@cyphar.com> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>