* [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965
@ 2025-02-28 19:44 Peter Marko
2025-03-06 17:42 ` Bruce Ashfield
0 siblings, 1 reply; 2+ messages in thread
From: Peter Marko @ 2025-02-28 19:44 UTC (permalink / raw)
To: meta-virtualization; +Cc: Peter Marko
From: Peter Marko <peter.marko@siemens.com>
Pick commit https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
.../crun/crun/CVE-2025-24965.patch | 45 +++++++++++++++++++
recipes-containers/crun/crun_git.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 recipes-containers/crun/crun/CVE-2025-24965.patch
diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch
new file mode 100644
index 00000000..8a8a8f64
--- /dev/null
+++ b/recipes-containers/crun/crun/CVE-2025-24965.patch
@@ -0,0 +1,45 @@
+From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Tue, 4 Feb 2025 10:19:07 +0100
+Subject: [PATCH] krun: fix CVE-2025-24965
+
+make sure the opened .krun_config.json is below the rootfs directory
+and we don't follow any symlink.
+
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+
+CVE: CVE-2025-24965
+Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/libcrun/handlers/krun.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
+index 804a17cb..3c7766ba 100644
+--- a/src/libcrun/handlers/krun.c
++++ b/src/libcrun/handlers/krun.c
+@@ -43,6 +43,8 @@
+ /* libkrun has a hard-limit of 8 vCPUs per microVM. */
+ #define LIBKRUN_MAX_VCPUS 8
+
++#define KRUN_CONFIG_FILE ".krun_config.json"
++
+ struct krun_config
+ {
+ void *handle;
+@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
+ if (UNLIKELY (ret < 0))
+ return ret;
+
+- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
++ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We
++ must ensure the file is opened below the rootfs directory. */
++ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
++ if (UNLIKELY (fd < 0))
++ return fd;
++
++ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
+ if (UNLIKELY (ret < 0))
+ return ret;
+ }
diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb
index 89ba21b4..8d72e5f6 100644
--- a/recipes-containers/crun/crun_git.bb
+++ b/recipes-containers/crun/crun_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h
git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \
git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \
git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \
+ file://CVE-2025-24965.patch \
"
PV = "v1.14.3+git${SRCREV_crun}"
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965
2025-02-28 19:44 [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965 Peter Marko
@ 2025-03-06 17:42 ` Bruce Ashfield
0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2025-03-06 17:42 UTC (permalink / raw)
To: peter.marko; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965
on 28/02/2025 Peter Marko via lists.yoctoproject.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
>
> Pick commit https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> .../crun/crun/CVE-2025-24965.patch | 45 +++++++++++++++++++
> recipes-containers/crun/crun_git.bb | 1 +
> 2 files changed, 46 insertions(+)
> create mode 100644 recipes-containers/crun/crun/CVE-2025-24965.patch
>
> diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch
> new file mode 100644
> index 00000000..8a8a8f64
> --- /dev/null
> +++ b/recipes-containers/crun/crun/CVE-2025-24965.patch
> @@ -0,0 +1,45 @@
> +From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001
> +From: Giuseppe Scrivano <gscrivan@redhat.com>
> +Date: Tue, 4 Feb 2025 10:19:07 +0100
> +Subject: [PATCH] krun: fix CVE-2025-24965
> +
> +make sure the opened .krun_config.json is below the rootfs directory
> +and we don't follow any symlink.
> +
> +Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
> +
> +CVE: CVE-2025-24965
> +Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7]
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/libcrun/handlers/krun.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
> +index 804a17cb..3c7766ba 100644
> +--- a/src/libcrun/handlers/krun.c
> ++++ b/src/libcrun/handlers/krun.c
> +@@ -43,6 +43,8 @@
> + /* libkrun has a hard-limit of 8 vCPUs per microVM. */
> + #define LIBKRUN_MAX_VCPUS 8
> +
> ++#define KRUN_CONFIG_FILE ".krun_config.json"
> ++
> + struct krun_config
> + {
> + void *handle;
> +@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
> + if (UNLIKELY (ret < 0))
> + return ret;
> +
> +- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
> ++ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We
> ++ must ensure the file is opened below the rootfs directory. */
> ++ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
> ++ if (UNLIKELY (fd < 0))
> ++ return fd;
> ++
> ++ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
> + if (UNLIKELY (ret < 0))
> + return ret;
> + }
> diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb
> index 89ba21b4..8d72e5f6 100644
> --- a/recipes-containers/crun/crun_git.bb
> +++ b/recipes-containers/crun/crun_git.bb
> @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h
> git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \
> git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \
> git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \
> + file://CVE-2025-24965.patch \
> "
>
> PV = "v1.14.3+git${SRCREV_crun}"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9152): https://lists.yoctoproject.org/g/meta-virtualization/message/9152
> Mute This Topic: https://lists.yoctoproject.org/mt/111440786/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-03-06 17:42 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-28 19:44 [meta-virtualization][scarthgap][PATCH] crun: patch CVE-2025-24965 Peter Marko
2025-03-06 17:42 ` Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.