runc: update to v1.3.4

- Update to runc v1.3.4. Upstream changelog is available from
  <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

runc-1.2.0-rc.3.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:837185e9041c795187eb0f775af8d0b76869e98376bad7cf5f3249a2c636e794
-size 1609672

runc-1.2.0-rc.3.tar.xz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHUEABYKAB0WIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCZtZoygAKCRAol/rSt+lE
-bx7WAP0SyVg+qUJHACE0IkVAxaBzqVjNFVhdLY5ieF9h4LE0KgEA5Aa2n1k22JMX
-0774jwpF778ieaNR3L6sf/hKjAXTmwM=
-=6S7t
------END PGP SIGNATURE-----

runc-1.3.4.tar.xz.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+iJEEABYKADkWIQS2TklVsp+j1GPyqQYol/rSt+lEbwUCaSjevxsUgAAAAAAEAA5t
+YW51MiwyLjUrMS4xMSwyLDIACgkQKJf60rfpRG8DqgEAgQBUL0dOg31PIjBq03oW
+5dLKfrM4KQS4tDfj36Ol7y0A/jmlAoMzn32VfL2UnEh1DUBHFDxhiXvNEA3lNf0O
+G3gC
+=Q/Xl
+-----END PGP SIGNATURE-----

runc.changes

@@ -1,9 +1,115 @@
+-------------------------------------------------------------------
+Fri Nov 28 00:20:13 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.4. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.4>. bsc#1254362
+
+-------------------------------------------------------------------
+Wed Nov  5 10:05:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.3. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.3>. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+- Remove upstreamed patches for bsc#1252232:
+  - 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Thu Oct 16 02:16:12 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Backport patches for three CVEs. All three vulnerabilities ultimately allow
+  (through different methods) for full container breakouts by bypassing runc's
+  restrictions for writing to arbitrary /proc files. bsc#1252232
+  * CVE-2025-31133
+  * CVE-2025-52565
+  * CVE-2025-52881
+  + 2025-11-05-CVEs.patch
+
+-------------------------------------------------------------------
+Fri Oct 10 14:10:23 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+[ This update was only released for SLE 12 and 15. ]
+
+- Update to runc v1.2.7. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.7>.
+
+-------------------------------------------------------------------
+Sat Oct  4 05:01:50 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.2. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.2> bsc#1252110
+  - Includes an important fix for the CPUSet translation for cgroupv2.
+
+-------------------------------------------------------------------
+Thu Sep  4 15:29:15 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.1. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.1>
+- Fix runc 1.3.x builds on SLE-12 by enabling --std=gnu11.
+
+-------------------------------------------------------------------
+Tue Apr 29 15:23:32 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.3.0. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.3.0>
+
+-------------------------------------------------------------------
+Thu Apr 10 03:52:03 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.6. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.6>.
+
+-------------------------------------------------------------------
+Fri Feb 14 01:31:56 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.5. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.5>.
+
+-------------------------------------------------------------------
+Tue Jan  7 06:31:57 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.4. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.4>.
+- Update runc.keyring to match upstream.
+
+-------------------------------------------------------------------
+Wed Dec 11 02:01:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.3. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.3>.
+
+-------------------------------------------------------------------
+Sat Nov 16 01:55:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.2. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.2>.
+
+-------------------------------------------------------------------
+Fri Nov  1 22:26:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.1. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.1>.
+
+-------------------------------------------------------------------
+Mon Oct 21 22:42:50 UTC 2024 - Aleksa Sarai <asarai@suse.com>
+
+- Update to runc v1.2.0. Upstream changelog is available from
+  <https://github.com/opencontainers/runc/releases/tag/v1.2.0>.
+- Remove upstreamed patches.
+  - 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+  - 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+  - 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
+  - 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
+
 -------------------------------------------------------------------
 Tue Sep  3 02:01:16 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
 - Update to runc v1.2.0~rc3. Upstream changelog is available from
   <https://github.com/opencontainers/runc/releases/tag/v1.2.0-rc.3>.
-  Includes the patch for CVE-2024-45310.
+  Includes the patch for CVE-2024-45310. bsc#1230092
 
 -------------------------------------------------------------------
 Tue Sep  3 01:57:20 UTC 2024 - Aleksa Sarai <asarai@suse.com>
@@ -12,7 +118,7 @@ Tue Sep  3 01:57:20 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
 - Update to runc v1.1.14. Upstream changelog is available from
   <https://github.com/opencontainers/runc/releases/tag/v1.1.14>.
-  Includes the patch for CVE-2024-45310.
+  Includes the patch for CVE-2024-45310. bsc#1230092
 
 - Rebase patches:
   * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
@@ -26,7 +132,7 @@ Mon Jul 22 13:08:06 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 [ This was only ever released for SLES and Leap. ]
 
 - Update to runc v1.1.13. Upstream changelog is available from
-  <https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
+  <https://github.com/opencontainers/runc/releases/tag/v1.1.13>.
 - Rebase patches:
   * 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
   * 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch

runc.keyring

@@ -122,10 +122,10 @@ lxxclgJYU604APsFzpoLD0oUlfMn5Fh75ftkKPrwiHpTj4rRU6oIQu1/Bg==
 =Ab7w
 -----END PGP PUBLIC KEY BLOCK-----
 
-pub   rsa2048 2020-04-28 [SC] [expires: 2025-04-18]
+pub   rsa2048 2020-04-28 [SC] [expires: 2028-04-18]
       C2428CD75720FACDCF76B6EA17DE5ECB75A1100E
 uid           [ultimate] Kir Kolyshkin <kolyshkin@gmail.com>
-sub   rsa2048 2020-04-28 [E] [expires: 2025-04-18]
+sub   rsa2048 2020-04-28 [E] [expires: 2028-04-18]
 
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Comment: github=kolyshkin
@@ -137,26 +137,26 @@ ppTSiCl8/x/gKoXiJ+7MyvOZozUavkVHdim1NKCzwD014VOB8RXz+heUjS+HDXY9
 SbTL4jCsN/x0bq+ZNp4lunihVY5WqX+BGLcx7xPnJ0Rp9Ju1mAhKrbKUmOG3rkWu
 DIJuVP8HQfCoffsBLUKQ0V4fh18kfq1bo3JvABEBAAG0I0tpciBLb2x5c2hraW4g
 PGtvbHlzaGtpbkBnbWFpbC5jb20+iQFUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQW
-AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmRAbOgFCQlaGGoACgkQ
-F95ey3WhEA6dRQf+P+OHI3QiZu3TnrNBTsf+V8HhFBWKqafrjKbIE1A5HOHzcK2F
-t2afYG+MZQILwSuCQOObgr3o7hGlqkwMwGtHt5nqG6/Z0bmkowG4JJmYIg9FhvQW
-JEm/7lSBtxvFkw05H90UlzCM7AigD+PrLs96Zb0+FqdzEDWTMJeU7yYUFRNbXEu3
-wqpOZpHlYCJGKzFJBbGxYphlmljexRlWdZPwACKg7lBsVkM8JDPGxmmEe7/5tXPt
-Oa1yS13SleLv4muHH3KO3cgJGqBfY/XIExZUQUF0GdL0yppBDbn0oZ/wvRuibCR0
-1P7rW88csSjAjhNjja4v/zWleSIpyWVi8IvYLLkBDQReqLt+AQgAtKUDLyUFxQ9k
+AgMBAh4BAheAFiEEwkKM11cg+s3PdrbqF95ey3WhEA4FAmdcs+gFCQ7+0bIACgkQ
+F95ey3WhEA6rRwf8CxnbLB/uqPZfmmiTzTk7luWaIo6YxtnNz3bn2rTByEo+rBgO
+gbgtKaV4REYeKhtbdstkMTX3zr+zlqwuqaPaag/Cz20HLkD04bI+JCPoRH/dPadd
+3nOdbdRfdWZeDDSFKjVunVpXlLxwvZ1WaaYKCfF06U3F7/z7MTAuKHrHTG9SrNPJ
+UPJTy63dNnuiPpVNNtOyftLGEGgD1JH2tcosVEwEpAlXpIpJy4Lad9ajaRVoYNtT
+qZr26sRFYNOQqWgl25QM8LyLFyYry9HfEXkbilW0OpkAkUvv0yAe97UPZ0beP8D+
+d5rMbZps6Ph1TtosdE/Gx8xWs7ALNDmXyCI/F7kBDQReqLt+AQgAtKUDLyUFxQ9k
 p8OwI/MsPTLLoYfjilJaXnmtzQjGYFrEuU3lt7omRUBldNChkjGghEukGTq0RD7Z
 s6Qv5PM5dtOypPJM0lmz2j7seun3AfDV44h/bjOFwTUjab3Nr9fQ52qESmRS03ik
 6+5YNwq2D/+2kHVJ2vkUoo6KvioA1vPU311oW/Yfky8dLS5NguikE3to6YElWW38
 oqFUVdMScCbf9a6CPXSQEz/rH4TgAhwyTo6oegv+8L/szGFy5ToNGiA0D45HcFDc
 yXs1d+b3bYRuGfC1l/z+WZWwbeHt1fKEQ8pCLDLRre5y0hPRHeN2CG4U7iyI5B5h
 8LITPcZ66wARAQABiQE8BBgBCAAmAhsMFiEEwkKM11cg+s3PdrbqF95ey3WhEA4F
-AmRAbRQFCQlaGJYACgkQF95ey3WhEA7vywf9FFTeRgNji8ZIPMM2vIlns+CMkP5R
-uXakU6Q0O6Wmbb/ULOkobTqJ/Jcze8OuembuU3V6MiOQKgUIDrN7itjnJPQBneKT
-iqJdPK8KOiGIzqa0aRekvOu2nCz9n87Bf48pviH922yfs8gXYRCUnSV/i7/p+N8r
-5Fy7dJen5SXksN2/rUCEgU9FD17l2uMAoQbRqZg74/GwSDLnhrZ9eMrbPnguSQF4
-S1NPMeS7+G/gPN9Ze9qFmOF2p57cmEa+8mriZCYY3BcUBOiMOV5HSBKJwqA2M8au
-2dAKmFWb/G+K/dgBdkAulQ/BfCpwgFmmgJ5dAeaS3y8Xd86aBE0/eLCrhQ==
-=GkpD
+AmdctAIFCQ7+0bIACgkQF95ey3WhEA7PDggAlZxK7mCYThh7Z75mWftIaT3ms5jR
+cuQcCQYy2Z7qCaNxJtRklhsaAwpO0NQdNdQEfVXlNYLXRuFDq+hemhZKMu4lzQbZ
+3atm5swWcB8+9q+aCMP5nppwUXxCxHdhp4VxIYEv+wNjTF/6Fxu66fYPQPDKVacS
+H9NLjHsVoDFSi9rvtAy/Bs2aVn0hZkwpxzHJNVPnNcMAEnYXfM+kXu3761J61FAr
+o8zT9XXXnUYRuxHRAsrpa3atQj7jDHvFlcc3VfPmUFPs0aLRy19/44xRE1FZOSur
+f7jJ1HOKSJA9zx0xWaURRTRkMTIVuMnQKZofxC96GavBDVTtZlgLzeWVnQ==
+=eHgH
 -----END PGP PUBLIC KEY BLOCK-----
 
 pub   rsa3072 2019-07-25 [SC] [expires: 2025-07-27]

runc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package runc
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,16 +18,14 @@
 
 
 # MANUAL: Make sure you update this each time you update runc.
-%define git_version 45471bc945571d57acef05e0795008d7f1d9baf5
-%define git_short   45471bc94557
+%define git_version d6d73eb8c60246978da649ffe75ce5c8bca8f856
+%define git_short   d6d73eb8c602
 
 %define project github.com/opencontainers/runc
 
 Name:           runc
-# RPM doesn't handle semver rc releases nicely, so for rc releases we need to
-# do something different.
-%define upstream_version 1.2.0-rc.3
-Version:        1.2.0~rc3
+Version:        1.3.4
+%define upstream_version %{version}
 Release:        0
 Summary:        Tool for spawning and running OCI containers
 License:        Apache-2.0
@@ -38,7 +36,7 @@ Source1:        https://github.com/opencontainers/runc/releases/download/v%{upst
 Source2:        runc.keyring
 BuildRequires:  diffutils
 BuildRequires:  fdupes
-BuildRequires:  go >= 1.22.4
+BuildRequires:  go >= 1.23
 BuildRequires:  go-go-md2man
 BuildRequires:  libseccomp-devel
 BuildRequires:  libselinux-devel
@@ -70,6 +68,10 @@ and has grown to become a separate project entirely.
 %autopatch -p1
 
 %build
+%if 0%{?sle_version} == 120000
+# Fix nsenter builds on SLE12.
+export CGO_CFLAGS="--std=gnu11"
+%endif
 # build runc
 make BUILDTAGS="seccomp" COMMIT="%{git_describe}" runc
 # build man pages