Patch moby-containerd-cc for CVE-2025-64329

azurelinux-security · azurelinux-security · commit cbb50d25270f · 2025-11-12T06:45:32.000Z
diff --git a/SPECS/moby-containerd-cc/CVE-2025-64329.patch b/SPECS/moby-containerd-cc/CVE-2025-64329.patch
@@ -0,0 +1,68 @@
+From 711fc7f7388bdb317a813a791d9e8d38f725a85f Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Mon, 10 Nov 2025 03:04:25 +0000
+Subject: [PATCH] fix(cri): prevent goroutine leak in ContainerIO.Attach by
+ honoring ctx cancellation and removing writer group entries; plumb context
+ through attach call
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport from Build Backport-Build-ID-978512
+---
+ pkg/cri/io/container_io.go         | 14 +++++++++++---
+ pkg/cri/server/container_attach.go |  2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
+index 70bc8b7..e158410 100644
+--- a/pkg/cri/io/container_io.go
++++ b/pkg/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+ 
+ import (
++	"context"
+ 	"errors"
+ 	"io"
+ 	"strings"
+@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
+ 
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+ 	var wg sync.WaitGroup
+ 	key := util.GenerateID()
+ 	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+ 	}
+ 
+ 	attachStream := func(key string, close <-chan struct{}) {
+-		<-close
+-		logrus.Infof("Attach stream %q closed", key)
++		select {
++		case <-close:
++			logrus.Infof("Attach stream %q closed", key)
++		case <-ctx.Done():
++			logrus.Infof("Attach client of %q cancelled", key)
++			// Avoid writeGroup heap up
++			c.stdoutGroup.Remove(key)
++			c.stderrGroup.Remove(key)
++		}
+ 		// Make sure stdin gets closed.
+ 		if stdinStreamRC != nil {
+ 			stdinStreamRC.Close()
+diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
+index cd79f3b..aa6519a 100644
+--- a/pkg/cri/server/container_attach.go
++++ b/pkg/cri/server/container_attach.go
+@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ 		},
+ 	}
+ 	// TODO(random-liu): Figure out whether we need to support historical output.
+-	cntr.IO.Attach(opts)
++	cntr.IO.Attach(ctx, opts)
+ 	return nil
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec
@@ -6,7 +6,7 @@
 Summary: Industry-standard container runtime for confidential containers
 Name: moby-%{upstream_name}
 Version: 1.7.7
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -25,6 +25,7 @@ Patch5: CVE-2023-45288.patch
 Patch7: CVE-2023-44487.patch
 Patch8: CVE-2025-27144.patch
 Patch9: CVE-2024-40635.patch
+Patch10:CVE-2025-64329.patch
 
 %{?systemd_requires}
 
@@ -82,6 +83,9 @@ fi
 %config(noreplace) %{_sysconfdir}/containerd/config.toml
 
 %changelog
+* Wed Nov 12 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.7.7-10
+- Patch for CVE-2025-64329
+
 * Wed Apr 16 2025 Manuel Huber <mahuber@microsoft.com> - 1.7.7-9
 - Fix CVE-2024-40635
 
