diff --git a/SPECS/kubernetes/CVE-2025-52881.patch b/SPECS/kubernetes/CVE-2025-52881.patch new file mode 100644 index 00000000000..452344f8bb8 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52881.patch @@ -0,0 +1,65 @@ +From 7fa774fe3d91abb18ec29d880655e86ec32bf1e1 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 25 Nov 2025 04:42:43 +0000 +Subject: [PATCH] vendor/runc: drop EnsureProcHandle checks in apparmor + setProcAttr and fdRangeFrom, matching upstream patch + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/b3dd1bc562ed9996d1a0f249e056c16624046d28.diff +--- + .../runc/libcontainer/apparmor/apparmor_linux.go | 4 ---- + .../runc/libcontainer/utils/utils_unix.go | 16 ---------------- + 2 files changed, 20 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +index 8b1483c7..d4f82364 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/apparmor/apparmor_linux.go +@@ -40,10 +40,6 @@ func setProcAttr(attr, value string) error { + } + defer f.Close() + +- if err := utils.EnsureProcHandle(f); err != nil { +- return err +- } +- + _, err = f.WriteString(value) + return err + } +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +index bf3237a2..ec0c1f87 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go +@@ -12,18 +12,6 @@ import ( + "golang.org/x/sys/unix" + ) + +-// EnsureProcHandle returns whether or not the given file handle is on procfs. +-func EnsureProcHandle(fh *os.File) error { +- var buf unix.Statfs_t +- if err := unix.Fstatfs(int(fh.Fd()), &buf); err != nil { +- return fmt.Errorf("ensure %s is on procfs: %w", fh.Name(), err) +- } +- if buf.Type != unix.PROC_SUPER_MAGIC { +- return fmt.Errorf("%s is not on procfs", fh.Name()) +- } +- return nil +-} +- + type fdFunc func(fd int) + + // fdRangeFrom calls the passed fdFunc for each file descriptor that is open in +@@ -35,10 +23,6 @@ func fdRangeFrom(minFd int, fn fdFunc) error { + } + defer fdDir.Close() + +- if err := EnsureProcHandle(fdDir); err != nil { +- return err +- } +- + fdList, err := fdDir.Readdirnames(-1) + if err != nil { + return err +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 949bf3c3f84..c88fa738f06 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 15%{?dist} +Release: 16%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,7 @@ Patch5: CVE-2024-51744.patch Patch6: CVE-2025-30204.patch Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch +Patch9: CVE-2025-52881.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-16%{?dist} BuildRequires: golang < 1.25 @@ -278,6 +279,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Tue Nov 25 2025 Azure Linux Security Servicing Account - 1.30.10-16 +- Patch for CVE-2025-52881 + * Mon Nov 10 2025 Andrew Phelps - 1.30.10-15 - Bump to rebuild with updated glibc