diff --git a/SPECS/moby-containerd-cc/CVE-2025-64329.patch b/SPECS/moby-containerd-cc/CVE-2025-64329.patch new file mode 100644 index 00000000000..ed8635a0b39 --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2025-64329.patch @@ -0,0 +1,68 @@ +From 711fc7f7388bdb317a813a791d9e8d38f725a85f Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 10 Nov 2025 03:04:25 +0000 +Subject: [PATCH] fix(cri): prevent goroutine leak in ContainerIO.Attach by + honoring ctx cancellation and removing writer group entries; plumb context + through attach call + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from Build Backport-Build-ID-978512 +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/server/container_attach.go | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b7..e158410 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index cd79f3b..aa6519a 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.45.4 + diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index 0a70fd57d48..b2f4b717044 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -25,6 +25,7 @@ Patch5: CVE-2023-45288.patch Patch7: CVE-2023-44487.patch Patch8: CVE-2025-27144.patch Patch9: CVE-2024-40635.patch +Patch10:CVE-2025-64329.patch %{?systemd_requires} @@ -82,6 +83,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Wed Nov 12 2025 Azure Linux Security Servicing Account - 1.7.7-10 +- Patch for CVE-2025-64329 + * Wed Apr 16 2025 Manuel Huber - 1.7.7-9 - Fix CVE-2024-40635