diff --git a/SPECS/kubernetes/CVE-2025-52881.patch b/SPECS/kubernetes/CVE-2025-52881.patch new file mode 100644 index 00000000000..fa619a786a9 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52881.patch @@ -0,0 +1,79 @@ +From bb2aa8a6697b2edaf6879091f4b8e48fd4a7cc71 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 25 Nov 2025 03:18:53 +0000 +Subject: [PATCH] vendor: runc: remove redundant EnsureProcHandle checks and + function per patch; drop import in apparmor + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff +--- + .../runc/libcontainer/apparmor/apparmor_linux.go | 4 ---- + .../runc/libcontainer/utils/utils_unix.go | 16 ---------------- + 2 files changed, 20 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +index 8b1483c7..dcdd1c20 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +@@ -6,7 +6,6 @@ import ( + "os" + "sync" + +- "github.com/opencontainers/runc/libcontainer/utils" + ) + + var ( +@@ -40,9 +39,6 @@ func setProcAttr(attr, value string) error { + } + defer f.Close() + +- if err := utils.EnsureProcHandle(f); err != nil { +- return err +- } + + _, err = f.WriteString(value) + return err +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index bf3237a2..35ef00b2 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -4,7 +4,6 @@ + package utils + + import ( +- "fmt" + "os" + "strconv" + _ "unsafe" // for go:linkname +@@ -12,17 +11,6 @@ import ( + "golang.org/x/sys/unix" + ) + +-// EnsureProcHandle returns whether or not the given file handle is on procfs. +-func EnsureProcHandle(fh *os.File) error { +- var buf unix.Statfs_t +- if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil { +- return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err) +- } +- if buf.Type != unix.PROC_SUPER_MAGIC { +- return fmt.Errorf("%s is not on procfs", fh.Name()) +- } +- return nil +-} + + type fdFunc func(fd int) + +@@ -35,10 +23,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error { + } + defer fdDir.Close() + +- if err := EnsureProcHandle(fdDir); err != nil { +- return err +- } +- + fdList, err := fdDir.Readdirnames(-1) + if err != nil { + return err +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 949bf3c3f84..c88fa738f06 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,7 @@ Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch +Patch9: CVE-2025-52881.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-16%{?dist} BuildRequires: golang < 1.25 @@ -278,6 +279,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Tue Nov 25 2025 Azure Linux Security Servicing Account - 1.30.10-16 +- Patch for CVE-2025-52881 + * Mon Nov 10 2025 Andrew Phelps - 1.30.10-15 - Bump to rebuild with updated glibc