diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ec0f48e7..2edb9d229 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,9 +6,45 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased 1.4.z] +## [1.4.0-rc.3] - 2025-11-05 + +> その日、人類は思い出した。 + +### Security + +This release includes fixes for the following high-severity security issues: + +* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in + runc. When masking files, runc will bind-mount the container's `/dev/null` + inode on top of the file. However, if an attacker can replace `/dev/null` + with a symlink to some other procfs file, runc will instead bind-mount the + symlink target read-write. This issue affected all known runc versions. + +* [CVE-2025-52565][] is very similar in concept and application to + [CVE-2025-31133][], except that it exploits a flaw in `/dev/console` + bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`), + if an attacker replaces `/dev/pts/$n` with a symlink then runc will + bind-mount the symlink target over `/dev/console`. This issue affected all + versions of runc >= 1.0.0-rc3. + +* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][], + which was a flaw that allowed an attacker to trick runc into writing the LSM + process labels for a container process into a dummy tmpfs file and thus not + apply the correct LSM labels to the container process. The mitigation we + applied for [CVE-2019-19921][] was fairly limited and effectively only caused + runc to verify that when we write LSM labels that those labels are actual + procfs files. This issue affects all known runc versions. + ### Fixed * Switched to `(*CPUSet).Fill` rather than our hacky optimisation when resetting the CPU affinity of runc. (#4926, #4927) + * Correctly close child fds during `(*setns).start` if an error occurs. + (#4930, #4936) + +[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw +[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2 +[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r +[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm ## [1.4.0-rc.2] - 2025-10-10 @@ -1340,6 +1376,7 @@ implementation (libcontainer) is *not* covered by this policy. [1.3.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.2.0...v1.3.0-rc.1 -[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...release-1.4 +[Unreleased 1.4.z]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.3...release-1.4 +[1.4.0-rc.3]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.2...v1.4.0-rc.3 [1.4.0-rc.2]: https://github.com/opencontainers/runc/compare/v1.4.0-rc.1...v1.4.0-rc.2 [1.4.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.3.0...v1.4.0-rc.1 diff --git a/VERSION b/VERSION index 30816c9d3..06c810e17 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0-rc.2+dev +1.4.0-rc.3