Sync from SUSE:SLFO:1.1 runc revision 31a1c0506bab96b94f223a9772b6b32e

runc-1.2.6.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmfYg/sACgkQF95ey3Wh
-EA5ikggApKbA6FDLhxIKHwWQO2j7YY+H4REw0//e47eWV16Hj7Cn3Vtxawf8E8aA
-+UY4lOkX1Vqeif9aZCPe53AQGPDygkm0CBFSrUI8WRRVlsn7qQycVhv6BJ7Z3YtC
-6Jamtm/vQXNpVJVLyBdHrv+RApguPwWXsjVOlR1Ehy6qMYyAV5UqoB5SSpJC4B4z
-qA8B93kkDX10meROFdjcg4fc1Tn2BUMojx5w+Xsb5jGlTg8kCK4Jiw2Wq4zDmWFY
-0wgEoeKpSO59nMFEdPRuQPkv3QNrQW5GTQ1/HbHlcGmoEV9PceV2BIketTqhcfSn
-otdAL8y4EIOeSQUWbFCUMQ8e3+XsJg==
-=Wv00
------END PGP SIGNATURE-----

runc-1.3.4.tar.xz.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+iJEEABYKADkWIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCaSjevxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMSwyLDIACgkQKJf60rfpRG8DqgEAgQBUL0dOg31PIjBq03oW
+5dLKfrM4KQS4tDfj36Ol7y0A/jmlAoMzn32VfL2UnEh1DUBHFDxhiXvNEA3lNf0O
+G3gC
+=Q/Xl
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,61 @@
+-------------------------------------------------------------------
+Fri Nov 28 00:20:13 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.4. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362
+
+-------------------------------------------------------------------
+Wed Nov  5 10:05:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.3. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+- Remove upstreamed patches for bsc#1252232:
+  - 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 02:16:12 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Backport patches for three CVEs. All three vulnerabilities ultimately allow
+  (through different methods) for full container breakouts by bypassing runc's
+  restrictions for writing to arbitrary /proc files. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+  + 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Fri Oct 10 14:10:23 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Update to runc v1.2.7. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
+
+-------------------------------------------------------------------
+Sat Oct  4 05:01:50 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.2. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
+  - Includes an important fix for the CPUSet translation for cgroupv2.
+
+-------------------------------------------------------------------
+Thu Sep  4 15:29:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.1. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.1>
+- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
+
+-------------------------------------------------------------------
+Tue Apr 29 15:23:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.0. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.0>
+
 -------------------------------------------------------------------
 Thu Apr 10 03:52:03 UTC 2025 - Aleksa Sarai <asarai@suse.com>
 
@@ -74,7 +132,7 @@ Mon Jul 22 13:08:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 [ This was only ever released for SLES and Leap. ]
 
 - Update to runc v1.1.13. Upstream changelog is available from
-  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.13>.
 - Rebase patches:
   * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
   * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch

runc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package runc
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,13 +18,13 @@
 
 
 # MANUAL: Make sure you update this each time you update runc.
-%define git_version e89a29929c775025419ab0d218a43588b4c12b9a
-%define git_short   e89a29929c77
+%define git_version d6d73eb8c60246978da649ffe75ce5c8bca8f856
+%define git_short   d6d73eb8c602
 
 %define project github.com/opencontainers/runc
 
 Name:           runc
-Version:        1.2.6
+Version:        1.3.4
 %define upstream_version %{version}
 Release:        0
 Summary:        Tool for spawning and running OCI containers
@@ -36,7 +36,7 @@ Source1:        https://github.com/opencontainers/runc/releases/download/v%{upst
 Source2:        runc.keyring
 BuildRequires:  diffutils
 BuildRequires:  fdupes
-BuildRequires:  go >= 1.22.4
+BuildRequires:  go >= 1.23
 BuildRequires:  go-go-md2man
 BuildRequires:  libseccomp-devel
 BuildRequires:  libselinux-devel
@@ -68,6 +68,10 @@ and has grown to become a separate project entirely.
 %autopatch -p1
 
 %build
+%if 0%{?sle_version} == 120000
+# Fix nsenter builds on SLE12.
+export CGO_CFLAGS="--std=gnu11"
+%endif
 # build runc
 make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
 # build man pages