Dockerfile: update runc binary to v1.3.3

vvoland · vvoland · commit 35f6a780829f · 2025-11-05T10:57:28.000+01:00
Update the version used in CI and for the static binaries. - release notes: https://github.com/opencontainers/runc/releases/tag/v1.3.3 - full diff: opencontainers/runc@v1.3.2...v1.3.3 This release contains fixes for three high-severity security vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
diff --git a/Dockerfile b/Dockerfile
@@ -254,7 +254,7 @@ RUN git init . && git remote add origin "https://github.com/opencontainers/runc.
 # This version should usually match the version that is used by the containerd version
 # that is used. If you need to update runc, open a pull request in the containerd
 # project first, and update both after that is merged.
-ARG RUNC_VERSION=v1.3.2
+ARG RUNC_VERSION=v1.3.3
 RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
 
 FROM base AS runc-build
diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
@@ -7,7 +7,7 @@ set -e
 # The version of runc should match the version that is used by the containerd
 # version that is used. If you need to update runc, open a pull request in
 # the containerd project first, and update both after that is merged.
-: "${RUNC_VERSION:=v1.3.2}"
+: "${RUNC_VERSION:=v1.3.3}"
 
 install_runc() {
 	RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"
