From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: peter.marko@siemens.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965
Date: Thu, 6 Mar 2025 17:42:44 +0000 [thread overview]
Message-ID: <Z8nelIwqCGlwBdmS@gmail.com> (raw)
In-Reply-To: <20250228194421.54366-1-peter.marko@siemens.com>
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965
on 28/02/2025 Peter Marko via lists.yoctoproject.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick commit https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> .../crun/crun/CVE-2025-24965.patch | 45 +++++++++++++++++++
> recipes-containers/crun/crun_git.bb | 1 +
> 2 files changed, 46 insertions(+)
> create mode 100644 recipes-containers/crun/crun/CVE-2025-24965.patch
>
> diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch
> new file mode 100644
> index 00000000..8a8a8f64
> --- /dev/null
> +++ b/recipes-containers/crun/crun/CVE-2025-24965.patch
> @@ -0,0 +1,45 @@
> +From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001
> +From: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date: Tue, 4 Feb 2025 10:19:07 +0100
> +Subject: [PATCH] krun: fix CVE-2025-24965
> +
> +make sure the opened .krun_config.json is below the rootfs directory
> +and we don't follow any symlink.
> +
> +Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
> +
> +CVE: CVE-2025-24965
> +Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/libcrun/handlers/krun.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
> +index 804a17cb..3c7766ba 100644
> +--- a/src/libcrun/handlers/krun.c
> ++++ b/src/libcrun/handlers/krun.c
> +@@ -43,6 +43,8 @@
> + /* libkrun has a hard-limit of 8 vCPUs per microVM. */
> + #define LIBKRUN_MAX_VCPUS 8
> +
> ++#define KRUN_CONFIG_FILE ".krun_config.json"
> ++
> + struct krun_config
> + {
> + void *handle;
> +@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
> + if (UNLIKELY (ret < 0))
> + return ret;
> +
> +- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
> ++ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We
> ++ must ensure the file is opened below the rootfs directory. */
> ++ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
> ++ if (UNLIKELY (fd < 0))
> ++ return fd;
> ++
> ++ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
> + if (UNLIKELY (ret < 0))
> + return ret;
> + }
> diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb
> index 89ba21b4..8d72e5f6 100644
> --- a/recipes-containers/crun/crun_git.bb
> +++ b/recipes-containers/crun/crun_git.bb
> @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h
> git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \
> git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \
> git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \
> + file://CVE-2025-24965.patch \
> "
>
> PV = "v1.14.3+git${SRCREV_crun}"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9152): https://lists.yoctoproject.org/g/meta-virtualization/message/9152
> Mute This Topic: https://lists.yoctoproject.org/mt/111440786/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-03-06 17:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-28 19:44 [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965 Peter Marko
2025-03-06 17:42 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8nelIwqCGlwBdmS@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=peter.marko@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.