diff --git a/containerd.spec b/containerd.spec index 87a460cc495fb29de7b36a3b8c62b8d913159b62..bc82d19f39307a4e5f78771797cf196f32e86acc 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.6.22 Name: containerd -Release: 24 +Release: 25 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -68,6 +68,12 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml %exclude %{_bindir}/containerd-stress %changelog +* Mon Nov 17 2025 dongyuzhen - 1.6.22-25 +- Type:CVE +- ID:NA +- SUG:NA +- DESC:fix CVE-2024-25621 and CVE-2025-64329 + * Tue Sep 23 2025 dongyuzhen - 1.6.22-24 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index 5a79cf69940bf37cfe700c25aabcc09c2143881f..631cfeddfdfea3deb114bef749afdad84577e628 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -09eaedc738251fa31ef7e06d71b8de78176c6ec7 +9e043a0f4c8eb82be0180fd4c6c98e3e5c1d6425 diff --git a/patch/0048-containerd-fix-CVE-2024-25621.patch b/patch/0048-containerd-fix-CVE-2024-25621.patch new file mode 100644 index 0000000000000000000000000000000000000000..2a074f09a6dcbcf000766912ab805576a8a87bc9 --- /dev/null +++ b/patch/0048-containerd-fix-CVE-2024-25621.patch @@ -0,0 +1,99 @@ +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Mon, 27 Oct 2025 16:42:59 +0900 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task// is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Signed-off-by: Akihiro Suda +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96) +Signed-off-by: Akihiro Suda +--- + pkg/cri/cri.go | 8 ++++++++ + runtime/v2/manager.go | 2 ++ + services/server/server.go | 14 ++++++++++++-- + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go +index f89b23b..f226c25 100644 +--- a/pkg/cri/cri.go ++++ b/pkg/cri/cri.go +@@ -19,6 +19,7 @@ package cri + import ( + "flag" + "fmt" ++ "os" + "path/filepath" + + "github.com/containerd/containerd" +@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { + return nil, fmt.Errorf("invalid plugin config: %w", err) + } + ++ if err := os.MkdirAll(ic.State, 0700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0755 ++ if err := os.Chmod(ic.State, 0700); err != nil { ++ return nil, err ++ } + c := criconfig.Config{ + PluginConfig: *pluginConfig, + ContainerdRootDir: filepath.Dir(ic.Root), +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go +index 1927cbb..1f26bbe 100644 +--- a/runtime/v2/manager.go ++++ b/runtime/v2/manager.go +@@ -109,6 +109,8 @@ type ManagerConfig struct { + // NewShimManager creates a manager for v2 shims + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) { + for _, d := range []string{config.Root, config.State} { ++ // root: the parent of this directory is created as 0700, not 0711. ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers. + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/services/server/server.go b/services/server/server.go +index 28ce79a..c4607a1 100644 +--- a/services/server/server.go ++++ b/services/server/server.go +@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + return errors.New("root and state must be different paths") + } + +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { + return err + } + ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil { + return err + } + + if config.TempDir != "" { +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { + return err + } + if runtime.GOOS == "windows" { +-- +2.43.0 + diff --git a/patch/0049-containerd-fix-CVE-2025-64329.patch b/patch/0049-containerd-fix-CVE-2025-64329.patch new file mode 100644 index 0000000000000000000000000000000000000000..6800740e1d536814b884f52e06c32b6e84a974b9 --- /dev/null +++ b/patch/0049-containerd-fix-CVE-2025-64329.patch @@ -0,0 +1,73 @@ +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 +From: wheat2018 <1151937289@qq.com> +Date: Tue, 13 Aug 2024 15:56:31 +0800 +Subject: [PATCH] fix goroutine leak of container Attach + +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will +never finish if it attaches to a container without any stdout or stderr +output. Wait for http context cancel and break the pipe actively to +address the issue. + +Signed-off-by: wheat2018 <1151937289@qq.com> +Signed-off-by: Akihiro Suda +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) +Signed-off-by: Akihiro Suda +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/server/container_attach.go | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b7..e158410 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index a952150..3625229 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.43.0 + diff --git a/series.conf b/series.conf index 98924630bae3a93d77f57ef6615105fdc78593ab..7d6792b3e1f35bb437bc88472e293f8c652d200f 100644 --- a/series.conf +++ b/series.conf @@ -44,3 +44,5 @@ patch/0044-containerd-fix-dead-loop.patch patch/0045-containerd-remove-limitnofile-from-containerd-service.patch patch/0046-containerd-Fix-ctr-snapshot-mount-produce-invalid-mount-command.patch patch/0047-containerd-cri-Fix-userns-with-Dockerfile-VOLUME-mounts.patch +patch/0048-containerd-fix-CVE-2024-25621.patch +patch/0049-containerd-fix-CVE-2025-64329.patch