From f6c3cb1b2cf631351392d2179b6896f150aeab84 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Tue, 25 Nov 2025 17:02:49 +0800 Subject: [PATCH] fix CVE-2024-25621 and CVE-2025-64329 --- containerd.spec | 8 +- .../0115-containerd-fix-CVE-2024-25621.patch | 88 +++++++++++++++++++ .../0116-containerd-fix-CVE-2025-64329.patch | 73 +++++++++++++++ series.conf | 2 + 4 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 patch/0115-containerd-fix-CVE-2024-25621.patch create mode 100644 patch/0116-containerd-fix-CVE-2025-64329.patch diff --git a/containerd.spec b/containerd.spec index 6924d35..b7f6234 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 220 +Release: 221 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -44,6 +44,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr %{_bindir}/ctr %changelog +* Tue Nov 25 2025 dongyuzhen - 1.2.0-221 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2024-25621 and CVE-2025-64329 + * Thu Aug 21 2025 Yu Peng - 1.2.0-220 - Type:bugfix - ID:NA diff --git a/patch/0115-containerd-fix-CVE-2024-25621.patch b/patch/0115-containerd-fix-CVE-2024-25621.patch new file mode 100644 index 0000000..9682929 --- /dev/null +++ b/patch/0115-containerd-fix-CVE-2024-25621.patch @@ -0,0 +1,88 @@ +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Mon, 27 Oct 2025 16:42:59 +0900 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task// is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Signed-off-by: Akihiro Suda +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96) +Signed-off-by: Akihiro Suda +--- + runtime/v2/manager.go | 2 ++ + services/server/server.go | 8 +++++++- + vendor/github.com/containerd/cri/cri.go | 9 +++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go +index a04082d..fd64a16 100644 +--- a/runtime/v2/manager.go ++++ b/runtime/v2/manager.go +@@ -61,6 +61,8 @@ func init() { + // New task manager for v2 shims + func New(ctx context.Context, root, state, containerdAddress string, events *exchange.Exchange, db *metadata.DB) (*TaskManager, error) { + for _, d := range []string{root, state} { ++ // root: the parent of this directory is created as 0700, not 0711. ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers. + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/services/server/server.go b/services/server/server.go +index 71214b7..145cf33 100644 +--- a/services/server/server.go ++++ b/services/server/server.go +@@ -61,9 +61,15 @@ func New(ctx context.Context, config *srvconfig.Config) (*Server, error) { + return nil, errors.New("root and state must be different paths") + } + +- if err := os.MkdirAll(config.Root, 0711); err != nil { ++ if err := os.MkdirAll(config.Root, 0700); err != nil { + return nil, err + } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { ++ return nil, err ++ } ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. + if err := os.MkdirAll(config.State, 0711); err != nil { + return nil, err + } +diff --git a/vendor/github.com/containerd/cri/cri.go b/vendor/github.com/containerd/cri/cri.go +index c06b050..312d9e3 100644 +--- a/vendor/github.com/containerd/cri/cri.go ++++ b/vendor/github.com/containerd/cri/cri.go +@@ -18,6 +18,7 @@ package cri + + import ( + "flag" ++ "os" + "path/filepath" + + "github.com/containerd/containerd" +@@ -62,6 +63,14 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { + ic.Meta.Exports = map[string]string{"CRIVersion": constants.CRIVersion} + ctx := ic.Context + pluginConfig := ic.Config.(*criconfig.PluginConfig) ++ ++ if err := os.MkdirAll(ic.State, 0700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0755 ++ if err := os.Chmod(ic.State, 0700); err != nil { ++ return nil, err ++ } + c := criconfig.Config{ + PluginConfig: *pluginConfig, + ContainerdRootDir: filepath.Dir(ic.Root), +-- +2.43.0 + diff --git a/patch/0116-containerd-fix-CVE-2025-64329.patch b/patch/0116-containerd-fix-CVE-2025-64329.patch new file mode 100644 index 0000000..8a3ace7 --- /dev/null +++ b/patch/0116-containerd-fix-CVE-2025-64329.patch @@ -0,0 +1,73 @@ +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 +From: wheat2018 <1151937289@qq.com> +Date: Tue, 13 Aug 2024 15:56:31 +0800 +Subject: [PATCH] fix goroutine leak of container Attach + +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will +never finish if it attaches to a container without any stdout or stderr +output. Wait for http context cancel and break the pipe actively to +address the issue. + +Signed-off-by: wheat2018 <1151937289@qq.com> +Signed-off-by: Akihiro Suda +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) +Signed-off-by: Akihiro Suda +--- + .../containerd/cri/pkg/server/container_attach.go | 2 +- + .../containerd/cri/pkg/server/io/container_io.go | 14 +++++++++++--- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_attach.go b/vendor/github.com/containerd/cri/pkg/server/container_attach.go +index 91cdaac..f727faa 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/container_attach.go ++++ b/vendor/github.com/containerd/cri/pkg/server/container_attach.go +@@ -77,6 +77,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +diff --git a/vendor/github.com/containerd/cri/pkg/server/io/container_io.go b/vendor/github.com/containerd/cri/pkg/server/io/container_io.go +index 7edf627..3885948 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/io/container_io.go ++++ b/vendor/github.com/containerd/cri/pkg/server/io/container_io.go +@@ -17,6 +17,7 @@ limitations under the License. + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -132,7 +133,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -173,8 +174,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +-- +2.43.0 + diff --git a/series.conf b/series.conf index ad843fe..90cedf6 100644 --- a/series.conf +++ b/series.conf @@ -116,3 +116,5 @@ patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch patch/0113-containerd-fix-CVE-2024-40635.patch patch/0114-containerd-remove-limitnofile-from-containerd-service.patch +patch/0115-containerd-fix-CVE-2024-25621.patch +patch/0116-containerd-fix-CVE-2025-64329.patch -- Gitee