Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: 4.16.z
Affects Version/s: 4.16.z
Component/s: Containers
Labels:
- rhel-container-tools

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
3
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

With the fixes for CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, a few regressions were created in runc

https://github.com/opencontainers/runc/releases/tag/v1.3.4

libct: fix mips compilation. (#4962, #4966)
When configuring a tmpfs mount, only set the mode= argument if the
target path already existed. This fixes a regression introduced in our
CVE-2025-52881 mitigation patches. (#4971, #4976)
Fix various file descriptor leaks and add additional tests to detect them as
comprehensively as possible. (#5007, #5021, #5034)

The fixes for the CVE and the regressions are contained in runc v1.2.9, v1.3.4, and v1.4.0. The runc in RHEL should be bumped to the appropriate version.

Customers have already begun to run into these issues with the runc that had only the patch for the CVEs.

Bump runc in Podman to use one of these fixed versions of runc.

clones

OCPBUGS-66308 Bump to runc v1.2.9 or v1.3.4 to get CVE and regression fixes - Podman - [OCP 4.17]

New

is cloned by

OCPBUGS-66310 Bump to runc v1.2.9 or v1.3.4 to get CVE and regression fixes - Podman - [OCP 4.15]

New

Assignee:: Tom Sweeney

Reporter:: Tom Sweeney

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/12/03 12:44 AM

Updated:: 2025/12/03 1:15 AM