diff --git a/SPECS/moby-containerd-cc/CVE-2024-25621.patch b/SPECS/moby-containerd-cc/CVE-2024-25621.patch new file mode 100644 index 00000000000..d802c70669f --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2024-25621.patch @@ -0,0 +1,74 @@ +From 138f8e68f27026bbd6b621c3b7b1d35aff83ff06 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 11 Nov 2025 11:30:16 +0000 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task// is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Also add chmod for upgrades and explanatory comments. + +Signed-off-by: AllSpark +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport from Build Backport-Build-ID-979495 +--- + runtime/v2/manager.go | 3 +++ + services/server/server.go | 16 +++++++++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go +index 73e1af7..f49911d 100644 +--- a/runtime/v2/manager.go ++++ b/runtime/v2/manager.go +@@ -133,6 +133,9 @@ type ManagerConfig struct { + // NewShimManager creates a manager for v2 shims + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) { + for _, d := range []string{config.Root, config.State} { ++ // root: the parent of this directory is created as 0o700, not 0o711. ++ // state: the parent of this directory is created as 0o711 too, so as to support userns-remapped containers. ++ + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/services/server/server.go b/services/server/server.go +index 2a548ef..bac2c2f 100644 +--- a/services/server/server.go ++++ b/services/server/server.go +@@ -72,16 +72,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + return errors.New("root and state must be different paths") + } + +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.Root, 0o700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0o700); err != nil { + return err + } + +- if err := sys.MkdirAllWithACL(config.State, 0711); err != nil { ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. ++ if err := sys.MkdirAllWithACL(config.State, 0o711); err != nil { + return err + } + + if config.TempDir != "" { +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.TempDir, 0o700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0o700); err != nil { + return err + } + if runtime.GOOS == "windows" { +-- +2.45.4 + diff --git a/SPECS/moby-containerd-cc/CVE-2025-64329.patch b/SPECS/moby-containerd-cc/CVE-2025-64329.patch new file mode 100644 index 00000000000..8265355fb7f --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2025-64329.patch @@ -0,0 +1,81 @@ +From bd7945290c48fe7df42c3abd09b3a3f0f7290b3c Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Wed, 12 Nov 2025 10:45:32 +0000 +Subject: [PATCH] fix: prevent goroutine leak in Attach by handling context + cancellation and removing writer group entries; change Attach signature to + accept context and update call sites + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/containerd/containerd/commit/083b53cd6f19b5de7717b0ce92c11bdf95e612df.patch +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/sbserver/container_attach.go | 2 +- + pkg/cri/server/container_attach.go | 2 +- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b7..e158410 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/sbserver/container_attach.go b/pkg/cri/sbserver/container_attach.go +index 56f69c6..b2a534a 100644 +--- a/pkg/cri/sbserver/container_attach.go ++++ b/pkg/cri/sbserver/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index cd79f3b..aa6519a 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.45.4 + diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index dd7fb434d29..f00e6936e87 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 12%{?dist} +Release: 13%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -24,6 +24,8 @@ Patch5: CVE-2024-24786.patch Patch6: CVE-2024-28180.patch Patch7: CVE-2025-27144.patch Patch8: CVE-2024-40635.patch +Patch9: CVE-2024-25621.patch +Patch10:CVE-2025-64329.patch %{?systemd_requires} @@ -84,6 +86,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Wed Nov 12 2025 Azure Linux Security Servicing Account - 1.7.7-13 +- Patch for CVE-2025-64329, CVE-2024-25621 + * Thu Sep 04 2025 Akhila Guruju - 1.7.7-12 - Bump release to rebuild with golang