diff --git a/SPECS/kubernetes/CVE-2025-52881.patch b/SPECS/kubernetes/CVE-2025-52881.patch new file mode 100644 index 00000000000..6b67747f681 --- /dev/null +++ b/SPECS/kubernetes/CVE-2025-52881.patch @@ -0,0 +1,55 @@ +From 86e6e7e2499b85172a329194b55fbb630f7581d3 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 8 Dec 2025 07:24:02 +0000 +Subject: [PATCH] vendor(runc): use internal/pathrs MkdirAllInRoot and + IsLexicallyInRoot in rootfs_linux.go to avoid symlink races + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f.patch +--- + .../opencontainers/runc/libcontainer/rootfs_linux.go | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +index 70ef9e60..a22d24a8 100644 +--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go ++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go +@@ -285,7 +285,7 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error { + for _, b := range binds { + if c.cgroupns { + subsystemPath := filepath.Join(c.root, b.Destination) +- if err := os.MkdirAll(subsystemPath, 0o755); err != nil { ++ if err := pathrs.MkdirAllInRoot(c.root, subsystemPath, 0o755); err != nil { + return err + } + if err := utils.WithProcfd(c.root, b.Destination, func(procfd string) error { +@@ -427,7 +427,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error { + // TODO: This won't be necessary once we switch to libpathrs and we can + // stop all of these symlink-exchange attacks. + dest := filepath.Clean(m.Destination) +- if !strings.HasPrefix(dest, rootfs) { ++ if !pathrs.IsLexicallyInRoot(rootfs, dest) { + // Do not use securejoin as it resolves symlinks. + dest = filepath.Join(rootfs, dest) + } +@@ -438,7 +438,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error { + } else if !fi.IsDir() { + return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device) + } +- if err := os.MkdirAll(dest, 0o755); err != nil { ++ if err := pathrs.MkdirAllInRoot(rootfs, dest, 0o755); err != nil { + return err + } + // Selinux kernels do not support labeling of /proc or /sys. +@@ -515,7 +515,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error { + if err := checkProcMount(rootfs, dest, m.Source); err != nil { + return err + } +- if err := os.MkdirAll(dest, 0o755); err != nil { ++ if err := pathrs.MkdirAllInRoot(rootfs, dest, 0o755); err != nil { + return err + } + return mountPropagate(m, rootfs, mountLabel, mountFd) +-- +2.45.4 + diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec index 2af25d7cd75..abf1aad193e 100644 --- a/SPECS/kubernetes/kubernetes.spec +++ b/SPECS/kubernetes/kubernetes.spec @@ -10,7 +10,7 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.30.10 -Release: 16%{?dist} +Release: 17%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -29,6 +29,7 @@ Patch7: CVE-2025-22872.patch Patch8: CVE-2025-4563.patch Patch9: CVE-2025-31133.patch Patch10: CVE-2025-52565.patch +Patch11: CVE-2025-52881.patch BuildRequires: flex-devel BuildRequires: glibc-static >= 2.38-16%{?dist} BuildRequires: golang < 1.25 @@ -280,6 +281,9 @@ fi %{_exec_prefix}/local/bin/pause %changelog +* Mon Dec 08 2025 Azure Linux Security Servicing Account - 1.30.10-17 +- Patch for CVE-2025-52881 + * Mon Dec 1 2025 Andrew Phelps - 1.30.10-16 - Bump to rebuild with updated glibc