Accepting request 1320399 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1320399
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/runc?expand=0&rev=78

runc-1.3.0.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f2f799a1000e16cc37776fae1745f2a302633fad94dd52de9bece83df8dc4b4e
-size 1694312

runc-1.3.0.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQJEBAABCAAuFiEEXzbGxhtUYBJKdfWmnhiqJn3bjbQFAmgQWJAQHGFzYXJhaUBz
-dXNlLmNvbQAKCRCeGKomfduNtN1sEADEK5Jo+qKS8U5egGaM8jPxIRjn6U/R0iil
-wTWK6xyRSh3CENujOyOmTux9p2jF4pHOsOQWrp/PUZen4tSnVqyegQStZCcc2Ul5
-ErwjOUon6cM6WtiOsOhdHtYjTLa/0wvowpgxdFT3J/gkPIYBwuNLJrW0xndUNMeS
-EIMt0ij+Hwltd6WVM3GR8J5YFc1DWQB9j2yutzhT59e+/SKT5D95B/EGdJC8n+m0
-RuP5SPBQnK1KhKyX10YnzlC42Kzl55MhvB9UqhNg70U9dpgaddT/qR5iXI2EtWBY
-PZV+xYapzaZ8yXq7gSumlUKNE8JlFGKRWSMmsFdN9IkoE0QV9G1q1EALGpq55I0o
-tLhgsEsrlXYxJs9aqbVLI6ttGWe45DFfCpENRprReWwwA/3PrTug6ku0Dk0MYhtS
-Tj7MJ0P+Q1qreBmEXjnwArgwqeUi58Ab4i6iqHMuRyjXLBCXT4LJiTi8Z3zMNCzu
-kPpsIvCF9VmASbdq00aFo8m4cnh7cOjJ//bnJXtp4EwYD42eQgQR+8vzy46u46+l
-ONN+of/+oJtY5eCZmC3CDpEak4PANR1PWIzEEHDEGSTjz3xFMycW6laJngJvWfuk
-P+A0cL1o2EEhvPrDyTgD/Dh4JKnUNC7QulZcrmZ59i5MyyTXFupLdPoZT2wULCbW
-3hIgORPkcg==
-=rTcD
------END PGP SIGNATURE-----

runc-1.4.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f67c16fe40d078be6bf40006b086068951ab885ad815dfe8fa96c0a546aac57f
+size 1757532

runc-1.4.0.tar.xz.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+iJEEABYKADkWIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCaSjfMhsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMSwyLDIACgkQKJf60rfpRG/eqAEAwPxNZ+FK9ZSO7oC6dJZO
+jc64PTUcqgTFXm27XrYDE50A/3yskKjS6N0e5YK3D7+J0fKTZCrUZIy8Yv02eYPc
+G5YO
+=HU7f
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,3 +1,61 @@
+-------------------------------------------------------------------
+Fri Nov 28 00:40:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Add libpathrs build option to allow builds to switch to libpathrs. In future
+  we will switch to enabling this by default for Tumbleweed and Leap >= 16.
+
+-------------------------------------------------------------------
+Fri Nov 28 00:20:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.4.0. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.4.0>.
+
+-------------------------------------------------------------------
+Wed Nov  5 10:05:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.3. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+- Remove upstreamed patches for bsc#1252232:
+  - 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 02:16:12 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Backport patches for three CVEs. All three vulnerabilities ultimately allow
+  (through different methods) for full container breakouts by bypassing runc's
+  restrictions for writing to arbitrary /proc files. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+  + 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Fri Oct 10 14:10:23 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Update to runc v1.2.7. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
+
+-------------------------------------------------------------------
+Sat Oct  4 05:01:50 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.2. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
+  - Includes an important fix for the CPUSet translation for cgroupv2.
+
+-------------------------------------------------------------------
+Thu Sep  4 15:29:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.1. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.1>
+- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
+
 -------------------------------------------------------------------
 Tue Apr 29 15:23:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
 

runc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package runc
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,16 @@
 # nodebuginfo
 
 
+%bcond_with libpathrs
+
 # MANUAL: Make sure you update this each time you update runc.
-%define git_version 4ca628d1d4c974f92d24daccb901aa078aad748e
-%define git_short   4ca628d1d4c9
+%define git_version 8bd78a9977e604c4d5f67a7415d7b8b8c109cdc4
+%define git_short   8bd78a9977e6
 
 %define project github.com/opencontainers/runc
 
 Name:           runc
-Version:        1.3.0
+Version:        1.4.0
 %define upstream_version %{version}
 Release:        0
 Summary:        Tool for spawning and running OCI containers
@@ -40,6 +42,9 @@ BuildRequires:  go >= 1.23
 BuildRequires:  go-go-md2man
 BuildRequires:  libseccomp-devel
 BuildRequires:  libselinux-devel
+%if 0%{with libpathrs}
+BuildRequires:  libpathrs-devel
+%endif
 Recommends:     criu
 # There used to be a docker-runc package which was specifically for Docker.
 # Since Docker now tracks upstream more consistently, we use the same package
@@ -68,8 +73,19 @@ and has grown to become a separate project entirely.
 %autopatch -p1
 
 %build
+%if 0%{?sle_version} == 120000
+# Fix nsenter builds on SLE12.
+export CGO_CFLAGS="--std=gnu11"
+%endif
+
+BUILDTAGS="seccomp"
+%if 0%{with libpathrs}
+BUILDTAGS+=" libpathrs"
+%endif
+
 # build runc
-make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
+make BUILDTAGS="$BUILDTAGS" COMMIT="%{git_describe}" runc
+
 # build man pages
 man/md2man-all.sh