[AutoPR- Security] Patch kubernetes for CVE-2025-52881 [MEDIUM]

SPECS/kubernetes/CVE-2025-52881.patch

@@ -0,0 +1,55 @@
+From 86e6e7e2499b85172a329194b55fbb630f7581d3 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Mon, 8 Dec 2025 07:24:02 +0000
+Subject: [PATCH] vendor(runc): use internal/pathrs MkdirAllInRoot and
+ IsLexicallyInRoot in rootfs_linux.go to avoid symlink races
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/opencontainers/runc/commit/6fc191449109ea14bb7d61238f24a33fe08c651f.patch
+---
+ .../opencontainers/runc/libcontainer/rootfs_linux.go      | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
+index 70ef9e60..a22d24a8 100644
+--- a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
++++ b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go
+@@ -285,7 +285,7 @@ func mountCgroupV1(m *configs.Mount, c *mountConfig) error {
+ 	for _, b := range binds {
+ 		if c.cgroupns {
+ 			subsystemPath := filepath.Join(c.root, b.Destination)
+-			if err := os.MkdirAll(subsystemPath, 0o755); err != nil {
++			if err := pathrs.MkdirAllInRoot(c.root, subsystemPath, 0o755); err != nil {
+ 				return err
+ 			}
+ 			if err := utils.WithProcfd(c.root, b.Destination, func(procfd string) error {
+@@ -427,7 +427,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ 		// TODO: This won't be necessary once we switch to libpathrs and we can
+ 		//       stop all of these symlink-exchange attacks.
+ 		dest := filepath.Clean(m.Destination)
+-		if !strings.HasPrefix(dest, rootfs) {
++		if !pathrs.IsLexicallyInRoot(rootfs, dest) {
+ 			// Do not use securejoin as it resolves symlinks.
+ 			dest = filepath.Join(rootfs, dest)
+ 		}
+@@ -438,7 +438,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ 		} else if !fi.IsDir() {
+ 			return fmt.Errorf("filesystem %q must be mounted on ordinary directory", m.Device)
+ 		}
+-		if err := os.MkdirAll(dest, 0o755); err != nil {
++		if err := pathrs.MkdirAllInRoot(rootfs, dest, 0o755); err != nil {
+ 			return err
+ 		}
+ 		// Selinux kernels do not support labeling of /proc or /sys.
+@@ -515,7 +515,7 @@ func mountToRootfs(m *configs.Mount, c *mountConfig) error {
+ 		if err := checkProcMount(rootfs, dest, m.Source); err != nil {
+ 			return err
+ 		}
+-		if err := os.MkdirAll(dest, 0o755); err != nil {
++		if err := pathrs.MkdirAllInRoot(rootfs, dest, 0o755); err != nil {
+ 			return err
+ 		}
+ 		return mountPropagate(m, rootfs, mountLabel, mountFd)
+-- 
+2.45.4
+

SPECS/kubernetes/kubernetes.spec

@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.30.10
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -29,6 +29,7 @@ Patch7:         CVE-2025-22872.patch
 Patch8:         CVE-2025-4563.patch
 Patch9:         CVE-2025-31133.patch
 Patch10:        CVE-2025-52565.patch
+Patch11:        CVE-2025-52881.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.38-16%{?dist}
 BuildRequires:  golang < 1.25
@@ -280,6 +281,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <[email protected]> - 1.30.10-17
+- Patch for CVE-2025-52881
+
 
 * Mon Dec 1 2025 Andrew Phelps <[email protected]> - 1.30.10-16
 - Bump to rebuild with updated glibc