Google Git
Sign in
cos/third_party/runc/refs/heads/release-R129^!/.
commit
eeb7e6024f9ee43876301b1d23c353384fa6dcdd
[log] [tgz]
author
Aleksa Sarai <cyphar@cyphar.com>
Wed Nov 05 20:03:26 2025 +1100
committer
Aleksa Sarai <cyphar@cyphar.com>
Wed Nov 05 20:03:40 2025 +1100
tree
7d34be992dcd8e13c72dd96a0119120a4fd13444
parent
cdee962c391af84a922252c283bd065e5cabb34b [diff]
VERSION: release v1.2.8

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 797fe9d..bdda19d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md

@@ -6,6 +6,40 @@
 
 ## [Unreleased 1.2.z]
 
+## [1.2.8] - 2025-11-05
+
+> 鳥籠の中に囚われた屈辱を
+
+### Security
+
+This release includes fixes for the following high-severity security issues:
+
+* [CVE-2025-31133][] exploits an issue with how masked paths are implemented in
+  runc. When masking files, runc will bind-mount the container's `/dev/null`
+  inode on top of the file. However, if an attacker can replace `/dev/null`
+  with a symlink to some other procfs file, runc will instead bind-mount the
+  symlink target read-write. This issue affected all known runc versions.
+
+* [CVE-2025-52565][] is very similar in concept and application to
+  [CVE-2025-31133][], except that it exploits a flaw in `/dev/console`
+  bind-mounts. When creating the `/dev/console` bind-mount (to `/dev/pts/$n`),
+  if an attacker replaces `/dev/pts/$n` with a symlink then runc will
+  bind-mount the symlink target over `/dev/console`. This issue affected all
+  versions of runc >= 1.0.0-rc3.
+
+* [CVE-2025-52881][] is a more sophisticated variant of [CVE-2019-19921][],
+  which was a flaw that allowed an attacker to trick runc into writing the LSM
+  process labels for a container process into a dummy tmpfs file and thus not
+  apply the correct LSM labels to the container process. The mitigation we
+  applied for [CVE-2019-19921][] was fairly limited and effectively only caused
+  runc to verify that when we write LSM labels that those labels are actual
+  procfs files. This issue affects all known runc versions.
+
+[CVE-2019-19921]: https://github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
+[CVE-2025-31133]: https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
+[CVE-2025-52565]: https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r
+[CVE-2025-52881]: https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm
+
 ## [1.2.7] - 2025-09-05
 
 > さんをつけろよデコ助野郎!
@@ -1055,7 +1089,8 @@
 [1.1.0-rc.1]: https://github.com/opencontainers/runc/compare/v1.0.0...v1.1.0-rc.1
 
 <!-- 1.2.z patch releases -->
-[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.7...release-1.2
+[Unreleased 1.2.z]: https://github.com/opencontainers/runc/compare/v1.2.8...release-1.2
+[1.2.8]: https://github.com/opencontainers/runc/compare/v1.2.7...v1.2.8
 [1.2.7]: https://github.com/opencontainers/runc/compare/v1.2.6...v1.2.7
 [1.2.6]: https://github.com/opencontainers/runc/compare/v1.2.5...v1.2.6
 [1.2.5]: https://github.com/opencontainers/runc/compare/v1.2.4...v1.2.5

diff --git a/VERSION b/VERSION
index 49649b8..db6fb4a 100644
--- a/VERSION
+++ b/VERSION

@@ -1 +1 @@
-1.2.7+dev
+1.2.8