From 1a9eef4391a8157b8c9b952b046345cdee16cadc Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Tue, 25 Nov 2025 03:52:15 +0000 Subject: [PATCH] Patch kubernetes for CVE-2025-52881 --- SPECS/kubernetes/CVE-2025-52881.patch | 66 +++++++++++++++++++++++++++ SPECS/kubernetes/kubernetes.spec | 6 ++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 SPECS/kubernetes/CVE-2025-52881.patch diff --git a/SPECS/kubernetes/CVE-2025-52881.patch b/SPECS/kubernetes/CVE-2025-52881.patch new file mode 100644 index 00000000000..ad6215ae07a --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52881.patch @@ -0,0 +1,66 @@ +From b2429c110d523dad5a0d7ecca43914e75e42a62c Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 25 Nov 2025 03:46:49 +0000 +Subject: [PATCH] vendor(runc): drop EnsureProcHandle checks and helper per + upstream patch; rely on securejoin.ProcThreadSelf\n\n- Remove + utils.EnsureProcHandle function\n- Remove its usage in apparmor setProcAttr + and utils fdRangeFrom\n\nBackport of upstream change. + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff +--- + .../runc/libcontainer/apparmor/apparmor_linux.go | 3 --- + .../runc/libcontainer/utils/utils_unix.go | 16 ---------------- + 2 files changed, 19 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +index 8b1483c7..e187dc0d 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +@@ -40,9 +40,6 @@ func setProcAttr(attr, value string) error { + } + defer f.Close() + +- if err := utils.EnsureProcHandle(f); err != nil { +- return err +- } + + _, err = f.WriteString(value) + return err +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index bf3237a2..ec0c1f87 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -12,18 +12,6 @@ import ( + "golang.org/x/sys/unix" + ) + +-// EnsureProcHandle returns whether or not the given file handle is on procfs. +-func EnsureProcHandle(fh *os.File) error { +- var buf unix.Statfs_t +- if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil { +- return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err) +- } +- if buf.Type != unix.PROC_SUPER_MAGIC { +- return fmt.Errorf("%s is not on procfs", fh.Name()) +- } +- return nil +-} +- + type fdFunc func(fd int) + + // fdRangeFrom calls the passed fdFunc for each file descriptor that is open in +@@ -35,10 +23,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error { + } + defer fdDir.Close() + +- if err := EnsureProcHandle(fdDir); err != nil { +- return err +- } +- + fdList, err := fdDir.Readdirnames(-1) + if err != nil { + return err +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 949bf3c3f84..c88fa738f06 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,7 @@ Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch +Patch9: CVE-2025-52881.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-16%{?dist} BuildRequires: golang < 1.25 @@ -278,6 +279,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Tue Nov 25 2025 Azure Linux Security Servicing Account - 1.30.10-16 +- Patch for CVE-2025-52881 + * Mon Nov 10 2025 Andrew Phelps - 1.30.10-15 - Bump to rebuild with updated glibc