Patch kubernetes for CVE-2025-52881

Author: azurelinux-security

SPECS/kubernetes/CVE-2025-52881.patch

@@ -0,0 +1,66 @@
+From b2429c110d523dad5a0d7ecca43914e75e42a62c Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 25 Nov 2025 03:46:49 +0000
+Subject: [PATCH] vendor(runc): drop EnsureProcHandle checks and helper per
+ upstream patch; rely on securejoin.ProcThreadSelf\n\n- Remove
+ utils.EnsureProcHandle function\n- Remove its usage in apparmor setProcAttr
+ and utils fdRangeFrom\n\nBackport of upstream change.
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff
+---
+ .../runc/libcontainer/apparmor/apparmor_linux.go |  3 ---
+ .../runc/libcontainer/utils/utils_unix.go        | 16 ----------------
+ 2 files changed, 19 deletions(-)
+
+diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+index 8b1483c7..e187dc0d 100644
+--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
+@@ -40,9 +40,6 @@ func setProcAttr(attr, value string) error {
+ 	}
+ 	defer f.Close()
+ 
+-	if err := utils.EnsureProcHandle(f); err != nil {
+-		return err
+-	}
+ 
+ 	_, err = f.WriteString(value)
+ 	return err
+diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+index bf3237a2..ec0c1f87 100644
+--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+@@ -12,18 +12,6 @@ import (
+ 	"golang.org/x/sys/unix"
+ )
+ 
+-// EnsureProcHandle returns whether or not the given file handle is on procfs.
+-func EnsureProcHandle(fh *os.File) error {
+-	var buf unix.Statfs_t
+-	if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil {
+-		return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err)
+-	}
+-	if buf.Type != unix.PROC_SUPER_MAGIC {
+-		return fmt.Errorf("%s is not on procfs", fh.Name())
+-	}
+-	return nil
+-}
+-
+ type fdFunc func(fd int)
+ 
+ // fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
+@@ -35,10 +23,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error {
+ 	}
+ 	defer fdDir.Close()
+ 
+-	if err := EnsureProcHandle(fdDir); err != nil {
+-		return err
+-	}
+-
+ 	fdList, err := fdDir.Readdirnames(-1)
+ 	if err != nil {
+ 		return err
+-- 
+2.45.4
+

SPECS/kubernetes/kubernetes.spec

@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.30.10
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,7 @@ Patch5:         CVE-2024-51744.patch
 Patch6:         CVE-2025-30204.patch
 Patch7:         CVE-2025-22872.patch
 Patch8:         CVE-2025-4563.patch
+Patch9:         CVE-2025-52881.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.38-16%{?dist}
 BuildRequires:  golang < 1.25
@@ -278,6 +279,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Tue Nov 25 2025 Azure Linux Security Servicing Account <[email protected]> - 1.30.10-16
+- Patch for CVE-2025-52881
+
 * Mon Nov 10 2025 Andrew Phelps <[email protected]> - 1.30.10-15
 - Bump to rebuild with updated glibc