fix(deps): update module github.com/opencontainers/runc to v1.3.3 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/opencontainers/runc	v1.3.2 -> v1.3.3

---

Release Notes

opencontainers/runc (github.com/opencontainers/runc)

v1.3.3: runc v1.3.3 -- "奴らに支配されていた恐怖を"

Compare Source

[!NOTE]
Some vendors were given a pre-release version of this release.
This public release includes two extra patches to fix regressions
discovered very late during the embargo period and were thus not
included in the pre-release versions. Please update to this version.

This release contains fixes for three high-severity security
vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and
CVE-2025-52881). All three vulnerabilities ultimately allow (through
different methods) for full container breakouts by bypassing runc's
restrictions for writing to arbitrary /proc files.

Security

• CVE-2025-31133 exploits an issue with how masked paths are implemented in
  runc. When masking files, runc will bind-mount the container's /dev/null
  inode on top of the file. However, if an attacker can replace /dev/null
  with a symlink to some other procfs file, runc will instead bind-mount the
  symlink target read-write. This issue affected all known runc versions.

• CVE-2025-52565 is very similar in concept and application to
  CVE-2025-31133, except that it exploits a flaw in /dev/console
  bind-mounts. When creating the /dev/console bind-mount (to /dev/pts/$n),
  if an attacker replaces /dev/pts/$n with a symlink then runc will
  bind-mount the symlink target over /dev/console. This issue affected all
  versions of runc >= 1.0.0-rc3.

• CVE-2025-52881 is a more sophisticated variant of CVE-2019-19921,
  which was a flaw that allowed an attacker to trick runc into writing the LSM
  process labels for a container process into a dummy tmpfs file and thus not
  apply the correct LSM labels to the container process. The mitigation we
  applied for CVE-2019-19921 was fairly limited and effectively only caused
  runc to verify that when we write LSM labels that those labels are actual
  procfs files. This issue affects all known runc versions.

Added

• runc update now supports configuring per-device weights and iops. (#​4775,
  #​4807, #​4825, #​4931)

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

• libseccomp

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

---

Thanks to the following contributors for making this release possible:

• Akihiro Suda [email protected]
• Aleksa Sarai [email protected]
• Kir Kolyshkin [email protected]
• Lei Wang <ssst0n3@​gmail.com>
• Li Fubang [email protected]
• Rodrigo Campos [email protected]
• Tõnis Tiigi [email protected]

Signed-off-by: Aleksa Sarai [email protected]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: common/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.5.1

[mtrmac]

This is, sort of, blocked on filepath-securejoin licensing, compare #432.

(OTOH containers/buildah#6473 , the most relevant callers will proceed anyway.)