[AutoPR- Security] Patch containerd2 for CVE-2025-64329 [MEDIUM] (microsoft#15041)

azurelinux-security · web-flow · commit f9c5e5648096 · 2025-11-10T12:30:10.000+05:30
diff --git a/SPECS/containerd2/CVE-2025-64329.patch b/SPECS/containerd2/CVE-2025-64329.patch
@@ -0,0 +1,73 @@
+From b9beeef78a6fd90ece5801780c45f550caf71b3d Mon Sep 17 00:00:00 2001
+From: wheat2018 <1151937289@qq.com>
+Date: Tue, 13 Aug 2024 15:56:31 +0800
+Subject: [PATCH] fix goroutine leak of container Attach
+
+The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
+never finish if it attaches to a container without any stdout or stderr
+output. Wait for http context cancel and break the pipe actively to
+address the issue.
+
+Signed-off-by: wheat2018 <1151937289@qq.com>
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df.patch
+---
+ internal/cri/io/container_io.go         | 14 +++++++++++---
+ internal/cri/server/container_attach.go |  2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/internal/cri/io/container_io.go b/internal/cri/io/container_io.go
+index 9fc5545..194634e 100644
+--- a/internal/cri/io/container_io.go
++++ b/internal/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+ 
+ import (
++	"context"
+ 	"errors"
+ 	"fmt"
+ 	"io"
+@@ -160,7 +161,7 @@ func (c *ContainerIO) Pipe() {
+ 
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+ 	var wg sync.WaitGroup
+ 	key := util.GenerateID()
+ 	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -201,8 +202,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+ 	}
+ 
+ 	attachStream := func(key string, close <-chan struct{}) {
+-		<-close
+-		log.L.Infof("Attach stream %q closed", key)
++		select {
++		case <-close:
++			log.L.Infof("Attach stream %q closed", key)
++		case <-ctx.Done():
++			log.L.Infof("Attach client of %q cancelled", key)
++			// Avoid writeGroup heap up
++			c.stdoutGroup.Remove(key)
++			c.stderrGroup.Remove(key)
++		}
+ 		// Make sure stdin gets closed.
+ 		if stdinStreamRC != nil {
+ 			stdinStreamRC.Close()
+diff --git a/internal/cri/server/container_attach.go b/internal/cri/server/container_attach.go
+index 0147859..f4c3322 100644
+--- a/internal/cri/server/container_attach.go
++++ b/internal/cri/server/container_attach.go
+@@ -82,6 +82,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ 		},
+ 	}
+ 	// TODO(random-liu): Figure out whether we need to support historical output.
+-	cntr.IO.Attach(opts)
++	cntr.IO.Attach(ctx, opts)
+ 	return nil
+ }
+-- 
+2.45.4
+
diff --git a/SPECS/containerd2/containerd2.spec b/SPECS/containerd2/containerd2.spec
@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: %{upstream_name}2
 Version: 2.0.0
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -23,6 +23,7 @@ Patch3:	CVE-2025-22872.patch
 Patch4:	CVE-2025-47291.patch
 Patch5:	multi-snapshotters-support.patch
 Patch6:	tardev-support.patch
+Patch7:	CVE-2025-64329.patch
 %{?systemd_requires}
 
 BuildRequires: golang < 1.25
@@ -98,6 +99,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Sat Nov 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.0.0-15
+- Patch for CVE-2025-64329
+
 * Sun Aug 31 2025 Andrew Phelps <anphel@microsoft.com> - 2.0.0-14
 - Set BR for golang to < 1.25
 
