Upgrade runc version to 1.1.12+

[ajchiarello]

Description

The version of runc in buildx is vulnerable to CVE-2024-21626. Patches for this vulnerability are included in runc 1.1.12; can the version in buildx be updated to remove this vulnerability?

[crazy-max]

The version of runc in buildx

We don't directly use runc in buildx, can you show any relevant code path?

[ajchiarello]

This was the result of a trivy scan of the docker:25 container image, which reported that the docker-buildx binary contained the library github.com/opencontainers/runc v1.1.9, which is vulnerable to this CVE. Is this a false positive?

[crazy-max]

This was the result of a trivy scan of the docker:25 container image, which reported that the docker-buildx binary contained the library github.com/opencontainers/runc v1.1.9, which is vulnerable to this CVE. Is this a false positive?

Right so vulnerable code path is not actually used in buildx, this is a false positive. We were using the libcontainer/user package which has been moved recently to https://github.com/moby/sys/tree/main/user (relevant PR moby/sys#134). cc @thaJeztah

[ajchiarello]

Great, thanks! I can document it as a False Positive and move on, then.