Skip to content

Commit bfda231

Browse files
azurelinux-securityazurelinux-security
committed
Patch kubernetes for CVE-2025-52881 
1 parent 67c0c70 commit bfda231

File tree

2 files changed

+67
-1
lines changed

2 files changed

+67
-1
lines changed

SPECS/kubernetes/CVE-2025-52881.patch

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
From 44be23d626b562a7c674422bf02a7ceef32c4959 Mon Sep 17 00:00:00 2001
2+
From: AllSpark <[email protected]>
3+
Date: Mon, 24 Nov 2025 10:23:43 +0000
4+
Subject: [PATCH] Backport: remove EnsureProcHandle checks as per upstream
5+
patch
6+
7+
Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
8+
Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff
9+
---
10+
.../runc/libcontainer/apparmor/apparmor_linux.go | 3 ---
11+
.../runc/libcontainer/utils/utils_unix.go | 14 --------------
12+
2 files changed, 17 deletions(-)
13+
14+
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
15+
index 8b1483c7..e187dc0d 100644
16+
--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
17+
+++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go
18+
@@ -40,9 +40,6 @@ func setProcAttr(attr, value string) error {
19+
}
20+
defer f.Close()
21+
22+
- if err := utils.EnsureProcHandle(f); err != nil {
23+
- return err
24+
- }
25+
26+
_, err = f.WriteString(value)
27+
return err
28+
diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
29+
index bf3237a2..848da090 100644
30+
--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
31+
+++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
32+
@@ -12,17 +12,6 @@ import (
33+
"golang.org/x/sys/unix"
34+
)
35+
36+
-// EnsureProcHandle returns whether or not the given file handle is on procfs.
37+
-func EnsureProcHandle(fh *os.File) error {
38+
- var buf unix.Statfs_t
39+
- if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil {
40+
- return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err)
41+
- }
42+
- if buf.Type != unix.PROC_SUPER_MAGIC {
43+
- return fmt.Errorf("%s is not on procfs", fh.Name())
44+
- }
45+
- return nil
46+
-}
47+
48+
type fdFunc func(fd int)
49+
50+
@@ -35,9 +24,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error {
51+
}
52+
defer fdDir.Close()
53+
54+
- if err := EnsureProcHandle(fdDir); err != nil {
55+
- return err
56+
- }
57+
58+
fdList, err := fdDir.Readdirnames(-1)
59+
if err != nil {
60+
--
61+
2.45.4
62+

SPECS/kubernetes/kubernetes.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
Summary: Microsoft Kubernetes
1111
Name: kubernetes
1212
Version: 1.30.10
13-
Release: 15%{?dist}
13+
Release: 16%{?dist}
1414
License: ASL 2.0
1515
Vendor: Microsoft Corporation
1616
Distribution: Azure Linux
@@ -27,6 +27,7 @@ Patch5: CVE-2024-51744.patch
2727
Patch6: CVE-2025-30204.patch
2828
Patch7: CVE-2025-22872.patch
2929
Patch8: CVE-2025-4563.patch
30+
Patch9: CVE-2025-52881.patch
3031
BuildRequires: flex-devel
3132
BuildRequires: glibc-static >= 2.38-16%{?dist}
3233
BuildRequires: golang < 1.25
@@ -278,6 +279,9 @@ fi
278279
%{_exec_prefix}/local/bin/pause
279280

280281
%changelog
282+
* Mon Nov 24 2025 Azure Linux Security Servicing Account <[email protected]> - 1.30.10-16
283+
- Patch for CVE-2025-52881
284+
281285
* Mon Nov 10 2025 Andrew Phelps <[email protected]> - 1.30.10-15
282286
- Bump to rebuild with updated glibc
283287

0 commit comments

Comments
 (0)