[AutoPR- Security] Patch moby-containerd-cc for CVE-2025-64329, CVE-2024-25621 [HIGH] (microsoft#15042)

Co-authored-by: Archana Shettigar <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

Author: 3 people

SPECS/moby-containerd-cc/CVE-2024-25621.patch

@@ -0,0 +1,89 @@
+From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <[email protected]>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+  as required by userns-remapped containers.
+  /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+  - 0o700 for non-userns-remapped containers
+  - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: AllSpark <[email protected]>
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f.patch
+
+---
+ pkg/cri/cri.go            |  8 ++++++++
+ runtime/v2/manager.go     |  2 ++
+ services/server/server.go | 14 ++++++++++++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
+index aa57313..55db3a2 100644
+--- a/pkg/cri/cri.go
++++ b/pkg/cri/cri.go
+@@ -62,6 +62,14 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
+ 		return nil, fmt.Errorf("invalid plugin config: %w", err)
+ 	}
+ 
++	if err := os.MkdirAll(ic.State, 0700); err != nil {
++		return nil, err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0755
++	if err := os.Chmod(ic.State, 0700); err != nil {
++		return nil, err
++	}
++
+ 	c := criconfig.Config{
+ 		PluginConfig:       *pluginConfig,
+ 		ContainerdRootDir:  filepath.Dir(ic.Root),
+diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
+index 73e1af7..d48ac8f 100644
+--- a/runtime/v2/manager.go
++++ b/runtime/v2/manager.go
+@@ -133,6 +133,8 @@ type ManagerConfig struct {
+ // NewShimManager creates a manager for v2 shims
+ func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
+ 	for _, d := range []string{config.Root, config.State} {
++		// root:  the parent of this directory is created as 0700, not 0711.
++		// state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
+ 		if err := os.MkdirAll(d, 0711); err != nil {
+ 			return nil, err
+ 		}
+diff --git a/services/server/server.go b/services/server/server.go
+index 2a548ef..04782bf 100644
+--- a/services/server/server.go
++++ b/services/server/server.go
+@@ -76,12 +76,22 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ 		return err
+ 	}
+ 
+-	if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
++	if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
++		return err
++	}
++	// chmod is needed for upgrading from an older release that created the dir with 0o711
++	if err := os.Chmod(config.Root, 0700); err != nil {
+ 		return err
+ 	}
+ 
++	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ 	if config.TempDir != "" {
+-		if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
++		if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
++			return err
++		}
++		// chmod is needed for upgrading from an older release that created the dir with 0o711
++		if err := os.Chmod(config.Root, 0700); err != nil {
+ 			return err
+ 		}
+ 		if runtime.GOOS == "windows" {
+-- 
+2.45.4
+

SPECS/moby-containerd-cc/CVE-2025-64329.patch

@@ -0,0 +1,81 @@
+From 155777be3c6c8bb1e5d3c48df543079eed20bed9 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Mon, 10 Nov 2025 03:04:25 +0000
+Subject: [PATCH] fix(cri): prevent goroutine leak in ContainerIO.Attach by
+ honoring ctx cancellation and removing writer group entries; plumb context
+ through attach call
+
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750.patch
+---
+ pkg/cri/io/container_io.go         | 14 +++++++++++---
+ pkg/cri/sbserver/container_attach.go | 2 +-
+ pkg/cri/server/container_attach.go |  2 +-
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
+index 70bc8b7..e158410 100644
+--- a/pkg/cri/io/container_io.go
++++ b/pkg/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+ 
+ import (
++	"context"
+ 	"errors"
+ 	"io"
+ 	"strings"
+@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
+ 
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+ 	var wg sync.WaitGroup
+ 	key := util.GenerateID()
+ 	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+ 	}
+ 
+ 	attachStream := func(key string, close <-chan struct{}) {
+-		<-close
+-		logrus.Infof("Attach stream %q closed", key)
++		select {
++		case <-close:
++			logrus.Infof("Attach stream %q closed", key)
++		case <-ctx.Done():
++			logrus.Infof("Attach client of %q cancelled", key)
++			// Avoid writeGroup heap up
++			c.stdoutGroup.Remove(key)
++			c.stderrGroup.Remove(key)
++		}
+ 		// Make sure stdin gets closed.
+ 		if stdinStreamRC != nil {
+ 			stdinStreamRC.Close()
+diff --git a/pkg/cri/sbserver/container_attach.go b/pkg/cri/sbserver/container_attach.go
+index 56f69c6..b2a534a 100644
+--- a/pkg/cri/sbserver/container_attach.go
++++ b/pkg/cri/sbserver/container_attach.go
+@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ 		},
+ 	}
+ 	// TODO(random-liu): Figure out whether we need to support historical output.
+-	cntr.IO.Attach(opts)
++	cntr.IO.Attach(ctx, opts)
+ 	return nil
+ }
+diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
+index cd79f3b..aa6519a 100644
+--- a/pkg/cri/server/container_attach.go
++++ b/pkg/cri/server/container_attach.go
+@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ 		},
+ 	}
+ 	// TODO(random-liu): Figure out whether we need to support historical output.
+-	cntr.IO.Attach(opts)
++	cntr.IO.Attach(ctx, opts)
+ 	return nil
+ }
+-- 
+2.45.4
+

SPECS/moby-containerd-cc/moby-containerd-cc.spec

@@ -6,7 +6,7 @@
 Summary: Industry-standard container runtime for confidential containers
 Name: moby-%{upstream_name}
 Version: 1.7.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -25,6 +25,8 @@ Patch5: CVE-2023-45288.patch
 Patch7: CVE-2023-44487.patch
 Patch8: CVE-2025-27144.patch
 Patch9: CVE-2024-40635.patch
+Patch10:CVE-2024-25621.patch
+Patch11:CVE-2025-64329.patch
 
 %{?systemd_requires}
 
@@ -82,6 +84,9 @@ fi
 %config(noreplace) %{_sysconfdir}/containerd/config.toml
 
 %changelog
+* Mon Nov 10 2025 Azure Linux Security Servicing Account <[email protected]> - 1.7.7-10
+- Patch for CVE-2025-64329, CVE-2024-25621
+
 * Wed Apr 16 2025 Manuel Huber <[email protected]> - 1.7.7-9
 - Fix CVE-2024-40635