* [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621
@ 2025-11-10 11:30 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield
0 siblings, 2 replies; 6+ messages in thread
From: vanusuri @ 2025-11-10 11:30 UTC (permalink / raw)
To: meta-virtualization; +Cc: Vijay Anusuri
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../CVE-2024-25621.patch | 103 ++++++++++++++++++
.../containerd-opencontainers_git.bb | 1 +
2 files changed, 104 insertions(+)
create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
new file mode 100644
index 00000000..4ae9bb63
--- /dev/null
+++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
@@ -0,0 +1,103 @@
+From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
+From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: [PATCH] Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
+ as required by userns-remapped containers.
+ /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
+ - 0o700 for non-userns-remapped containers
+ - 0o710 for userns-remapped containers with the remapped root group as the owner group.
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+
+Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f]
+CVE: CVE-2024-25621
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/cri/cri.go | 8 ++++++++
+ runtime/v2/manager.go | 2 ++
+ services/server/server.go | 14 ++++++++++++--
+ 3 files changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
+index 7182716b6..dec810196 100644
+--- a/pkg/cri/cri.go
++++ b/pkg/cri/cri.go
+@@ -19,6 +19,7 @@ package cri
+ import (
+ "flag"
+ "fmt"
++ "os"
+ "path/filepath"
+
+ "github.com/containerd/containerd"
+@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
+ return nil, fmt.Errorf("invalid plugin config: %w", err)
+ }
+
++ if err := os.MkdirAll(ic.State, 0700); err != nil {
++ return nil, err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0755
++ if err := os.Chmod(ic.State, 0700); err != nil {
++ return nil, err
++ }
+ c := criconfig.Config{
+ PluginConfig: *pluginConfig,
+ ContainerdRootDir: filepath.Dir(ic.Root),
+diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
+index 1927cbb3f..1f26bbeac 100644
+--- a/runtime/v2/manager.go
++++ b/runtime/v2/manager.go
+@@ -109,6 +109,8 @@ type ManagerConfig struct {
+ // NewShimManager creates a manager for v2 shims
+ func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
+ for _, d := range []string{config.Root, config.State} {
++ // root: the parent of this directory is created as 0700, not 0711.
++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
+ if err := os.MkdirAll(d, 0711); err != nil {
+ return nil, err
+ }
+diff --git a/services/server/server.go b/services/server/server.go
+index 857cc9c76..bc2ddbf1f 100644
+--- a/services/server/server.go
++++ b/services/server/server.go
+@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
+ return errors.New("root and state must be different paths")
+ }
+
+- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
++ return err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o711
++ if err := os.Chmod(config.Root, 0700); err != nil {
+ return err
+ }
+
++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
+ if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
+ return err
+ }
+
+ if config.TempDir != "" {
+- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
++ return err
++ }
++ // chmod is needed for upgrading from an older release that created the dir with 0o711
++ if err := os.Chmod(config.Root, 0700); err != nil {
+ return err
+ }
+ if runtime.GOOS == "windows" {
+--
+2.25.1
+
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index dd621705..264d37a6 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
file://CVE-2024-40635.patch \
+ file://CVE-2024-25621.patch \
"
# Apache-2.0 for containerd
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
@ 2025-11-10 11:30 ` vanusuri
2025-12-02 1:11 ` Bruce Ashfield
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield
1 sibling, 1 reply; 6+ messages in thread
From: vanusuri @ 2025-11-10 11:30 UTC (permalink / raw)
To: meta-virtualization; +Cc: Vijay Anusuri
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../CVE-2025-64329.patch | 80 +++++++++++++++++++
.../containerd-opencontainers_git.bb | 1 +
2 files changed, 81 insertions(+)
create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
new file mode 100644
index 00000000..a3cc5e85
--- /dev/null
+++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
@@ -0,0 +1,80 @@
+From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
+From: wheat2018 <1151937289@qq.com>
+Date: Tue, 13 Aug 2024 15:56:31 +0800
+Subject: [PATCH] fix goroutine leak of container Attach
+
+The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
+never finish if it attaches to a container without any stdout or stderr
+output. Wait for http context cancel and break the pipe actively to
+address the issue.
+
+Signed-off-by: wheat2018 <1151937289@qq.com>
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+
+Excluded pkg/cri/sbserver/container_attach.go changes as the file not
+present in our current vrsion 1.6.19
+
+Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
+CVE: CVE-2025-64329
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/cri/io/container_io.go | 14 +++++++++++---
+ pkg/cri/server/container_attach.go | 2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
+index 70bc8b789..e1584100f 100644
+--- a/pkg/cri/io/container_io.go
++++ b/pkg/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+
+ import (
++ "context"
+ "errors"
+ "io"
+ "strings"
+@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
+
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+ var wg sync.WaitGroup
+ key := util.GenerateID()
+ stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+ }
+
+ attachStream := func(key string, close <-chan struct{}) {
+- <-close
+- logrus.Infof("Attach stream %q closed", key)
++ select {
++ case <-close:
++ logrus.Infof("Attach stream %q closed", key)
++ case <-ctx.Done():
++ logrus.Infof("Attach client of %q cancelled", key)
++ // Avoid writeGroup heap up
++ c.stdoutGroup.Remove(key)
++ c.stderrGroup.Remove(key)
++ }
+ // Make sure stdin gets closed.
+ if stdinStreamRC != nil {
+ stdinStreamRC.Close()
+diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
+index a95215051..3625229f9 100644
+--- a/pkg/cri/server/container_attach.go
++++ b/pkg/cri/server/container_attach.go
+@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+ },
+ }
+ // TODO(random-liu): Figure out whether we need to support historical output.
+- cntr.IO.Attach(opts)
++ cntr.IO.Attach(ctx, opts)
+ return nil
+ }
+--
+2.25.1
+
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 264d37a6..05683d26 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
file://CVE-2024-40635.patch \
file://CVE-2024-25621.patch \
+ file://CVE-2025-64329.patch \
"
# Apache-2.0 for containerd
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
@ 2025-11-19 23:28 ` Bruce Ashfield
1 sibling, 0 replies; 6+ messages in thread
From: Bruce Ashfield @ 2025-11-19 23:28 UTC (permalink / raw)
To: vanusuri; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../CVE-2024-25621.patch | 103 ++++++++++++++++++
> .../containerd-opencontainers_git.bb | 1 +
> 2 files changed, 104 insertions(+)
> create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
>
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
> new file mode 100644
> index 00000000..4ae9bb63
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
> @@ -0,0 +1,103 @@
> +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
> +From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +Date: Mon, 27 Oct 2025 16:42:59 +0900
> +Subject: [PATCH] Fix directory permissions
> +
> +- Create /var/lib/containerd with 0o700 (was: 0o711).
> +- Create config.TempDir with 0o700 (was: 0o711).
> +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
> +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
> +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
> + as required by userns-remapped containers.
> + /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
> + - 0o700 for non-userns-remapped containers
> + - 0o710 for userns-remapped containers with the remapped root group as the owner group.
> +
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f]
> +CVE: CVE-2024-25621
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/cri.go | 8 ++++++++
> + runtime/v2/manager.go | 2 ++
> + services/server/server.go | 14 ++++++++++++--
> + 3 files changed, 22 insertions(+), 2 deletions(-)
> +
> +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
> +index 7182716b6..dec810196 100644
> +--- a/pkg/cri/cri.go
> ++++ b/pkg/cri/cri.go
> +@@ -19,6 +19,7 @@ package cri
> + import (
> + "flag"
> + "fmt"
> ++ "os"
> + "path/filepath"
> +
> + "github.com/containerd/containerd"
> +@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
> + return nil, fmt.Errorf("invalid plugin config: %w", err)
> + }
> +
> ++ if err := os.MkdirAll(ic.State, 0700); err != nil {
> ++ return nil, err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0755
> ++ if err := os.Chmod(ic.State, 0700); err != nil {
> ++ return nil, err
> ++ }
> + c := criconfig.Config{
> + PluginConfig: *pluginConfig,
> + ContainerdRootDir: filepath.Dir(ic.Root),
> +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
> +index 1927cbb3f..1f26bbeac 100644
> +--- a/runtime/v2/manager.go
> ++++ b/runtime/v2/manager.go
> +@@ -109,6 +109,8 @@ type ManagerConfig struct {
> + // NewShimManager creates a manager for v2 shims
> + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
> + for _, d := range []string{config.Root, config.State} {
> ++ // root: the parent of this directory is created as 0700, not 0711.
> ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
> + if err := os.MkdirAll(d, 0711); err != nil {
> + return nil, err
> + }
> +diff --git a/services/server/server.go b/services/server/server.go
> +index 857cc9c76..bc2ddbf1f 100644
> +--- a/services/server/server.go
> ++++ b/services/server/server.go
> +@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
> + return errors.New("root and state must be different paths")
> + }
> +
> +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
> ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
> ++ return err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0o711
> ++ if err := os.Chmod(config.Root, 0700); err != nil {
> + return err
> + }
> +
> ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
> ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
> + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
> + return err
> + }
> +
> + if config.TempDir != "" {
> +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
> ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
> ++ return err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0o711
> ++ if err := os.Chmod(config.Root, 0700); err != nil {
> + return err
> + }
> + if runtime.GOOS == "windows" {
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index dd621705..264d37a6 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
> file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
> file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
> file://CVE-2024-40635.patch \
> + file://CVE-2024-25621.patch \
> "
>
> # Apache-2.0 for containerd
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9436): https://lists.yoctoproject.org/g/meta-virtualization/message/9436
> Mute This Topic: https://lists.yoctoproject.org/mt/116217319/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../CVE-2025-64329.patch | 80 +++++++++++++++++++
> .../containerd-opencontainers_git.bb | 1 +
> 2 files changed, 81 insertions(+)
> create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
>
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> new file mode 100644
> index 00000000..a3cc5e85
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> @@ -0,0 +1,80 @@
> +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> +From: wheat2018 <1151937289@qq.com>
> +Date: Tue, 13 Aug 2024 15:56:31 +0800
> +Subject: [PATCH] fix goroutine leak of container Attach
> +
> +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> +never finish if it attaches to a container without any stdout or stderr
> +output. Wait for http context cancel and break the pipe actively to
> +address the issue.
> +
> +Signed-off-by: wheat2018 <1151937289@qq.com>
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> +present in our current vrsion 1.6.19
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> +CVE: CVE-2025-64329
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/io/container_io.go | 14 +++++++++++---
> + pkg/cri/server/container_attach.go | 2 +-
> + 2 files changed, 12 insertions(+), 4 deletions(-)
> +
> +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> +index 70bc8b789..e1584100f 100644
> +--- a/pkg/cri/io/container_io.go
> ++++ b/pkg/cri/io/container_io.go
> +@@ -17,6 +17,7 @@
> + package io
> +
> + import (
> ++ "context"
> + "errors"
> + "io"
> + "strings"
> +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> +
> + // Attach attaches container stdio.
> + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> +-func (c *ContainerIO) Attach(opts AttachOptions) {
> ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> + var wg sync.WaitGroup
> + key := util.GenerateID()
> + stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> + }
> +
> + attachStream := func(key string, close <-chan struct{}) {
> +- <-close
> +- logrus.Infof("Attach stream %q closed", key)
> ++ select {
> ++ case <-close:
> ++ logrus.Infof("Attach stream %q closed", key)
> ++ case <-ctx.Done():
> ++ logrus.Infof("Attach client of %q cancelled", key)
> ++ // Avoid writeGroup heap up
> ++ c.stdoutGroup.Remove(key)
> ++ c.stderrGroup.Remove(key)
> ++ }
> + // Make sure stdin gets closed.
> + if stdinStreamRC != nil {
> + stdinStreamRC.Close()
> +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
> +index a95215051..3625229f9 100644
> +--- a/pkg/cri/server/container_attach.go
> ++++ b/pkg/cri/server/container_attach.go
> +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
> + },
> + }
> + // TODO(random-liu): Figure out whether we need to support historical output.
> +- cntr.IO.Attach(opts)
> ++ cntr.IO.Attach(ctx, opts)
> + return nil
> + }
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 264d37a6..05683d26 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
> file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
> file://CVE-2024-40635.patch \
> file://CVE-2024-25621.patch \
> + file://CVE-2025-64329.patch \
> "
>
> # Apache-2.0 for containerd
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
@ 2025-12-02 1:11 ` Bruce Ashfield
2025-12-02 2:48 ` Vijay Anusuri
0 siblings, 1 reply; 6+ messages in thread
From: Bruce Ashfield @ 2025-12-02 1:11 UTC (permalink / raw)
To: vanusuri; +Cc: meta-virtualization
This patch says 2/2, but I can't find patch 1/2. What was the
subject of 1/2 ? Or rather than just telling me the subject, if
you resend it, that would be great.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../CVE-2025-64329.patch | 80 +++++++++++++++++++
> .../containerd-opencontainers_git.bb | 1 +
> 2 files changed, 81 insertions(+)
> create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
>
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> new file mode 100644
> index 00000000..a3cc5e85
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> @@ -0,0 +1,80 @@
> +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> +From: wheat2018 <1151937289@qq.com>
> +Date: Tue, 13 Aug 2024 15:56:31 +0800
> +Subject: [PATCH] fix goroutine leak of container Attach
> +
> +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> +never finish if it attaches to a container without any stdout or stderr
> +output. Wait for http context cancel and break the pipe actively to
> +address the issue.
> +
> +Signed-off-by: wheat2018 <1151937289@qq.com>
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> +present in our current vrsion 1.6.19
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> +CVE: CVE-2025-64329
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/io/container_io.go | 14 +++++++++++---
> + pkg/cri/server/container_attach.go | 2 +-
> + 2 files changed, 12 insertions(+), 4 deletions(-)
> +
> +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> +index 70bc8b789..e1584100f 100644
> +--- a/pkg/cri/io/container_io.go
> ++++ b/pkg/cri/io/container_io.go
> +@@ -17,6 +17,7 @@
> + package io
> +
> + import (
> ++ "context"
> + "errors"
> + "io"
> + "strings"
> +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> +
> + // Attach attaches container stdio.
> + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> +-func (c *ContainerIO) Attach(opts AttachOptions) {
> ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> + var wg sync.WaitGroup
> + key := util.GenerateID()
> + stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> + }
> +
> + attachStream := func(key string, close <-chan struct{}) {
> +- <-close
> +- logrus.Infof("Attach stream %q closed", key)
> ++ select {
> ++ case <-close:
> ++ logrus.Infof("Attach stream %q closed", key)
> ++ case <-ctx.Done():
> ++ logrus.Infof("Attach client of %q cancelled", key)
> ++ // Avoid writeGroup heap up
> ++ c.stdoutGroup.Remove(key)
> ++ c.stderrGroup.Remove(key)
> ++ }
> + // Make sure stdin gets closed.
> + if stdinStreamRC != nil {
> + stdinStreamRC.Close()
> +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
> +index a95215051..3625229f9 100644
> +--- a/pkg/cri/server/container_attach.go
> ++++ b/pkg/cri/server/container_attach.go
> +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
> + },
> + }
> + // TODO(random-liu): Figure out whether we need to support historical output.
> +- cntr.IO.Attach(opts)
> ++ cntr.IO.Attach(ctx, opts)
> + return nil
> + }
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 264d37a6..05683d26 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
> file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
> file://CVE-2024-40635.patch \
> file://CVE-2024-25621.patch \
> + file://CVE-2025-64329.patch \
> "
>
> # Apache-2.0 for containerd
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
2025-12-02 1:11 ` Bruce Ashfield
@ 2025-12-02 2:48 ` Vijay Anusuri
2025-12-02 4:45 ` Bruce Ashfield
0 siblings, 1 reply; 6+ messages in thread
From: Vijay Anusuri @ 2025-12-02 2:48 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 6633 bytes --]
Hi Bruce,
Patch 1/2 (containerd-opencontainers: fix CVE-2024-25621) appears to have
already been merged.
Patch 1/2 :
https://git.yoctoproject.org/meta-virtualization/commit/?h=kirkstone&id=9f4afbb21a91eab9917a25811f1d2ba7d223e071
Patch 2/2 :
https://git.yoctoproject.org/meta-virtualization/commit/?h=kirkstone&id=4da521b4440f57b10ba70091ee0e31b1085e665e
Since the patches were merged, I wanted to confirm with you before
resending them.
If you would still like me to resend the patches, I can do so.
Thanks & Regards,
Vijay
On Tue, Dec 2, 2025 at 6:41 AM Bruce Ashfield <bruce.ashfield@gmail.com>
wrote:
> This patch says 2/2, but I can't find patch 1/2. What was the
> subject of 1/2 ? Or rather than just telling me the subject, if
> you resend it, that would be great.
>
> Bruce
>
> In message: [meta-virtualization][kirkstone][PATCH 2/2]
> containerd-opencontainers: fix CVE-2025-64329
> on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
>
> > From: Vijay Anusuri <vanusuri@mvista.com>
> >
> > Upstream-Status: Backport from
> https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
> >
> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > ---
> > .../CVE-2025-64329.patch | 80 +++++++++++++++++++
> > .../containerd-opencontainers_git.bb | 1 +
> > 2 files changed, 81 insertions(+)
> > create mode 100644
> recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> >
> > diff --git
> a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> > new file mode 100644
> > index 00000000..a3cc5e85
> > --- /dev/null
> > +++
> b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> > @@ -0,0 +1,80 @@
> > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> > +From: wheat2018 <1151937289@qq.com>
> > +Date: Tue, 13 Aug 2024 15:56:31 +0800
> > +Subject: [PATCH] fix goroutine leak of container Attach
> > +
> > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> > +never finish if it attaches to a container without any stdout or stderr
> > +output. Wait for http context cancel and break the pipe actively to
> > +address the issue.
> > +
> > +Signed-off-by: wheat2018 <1151937289@qq.com>
> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> > +
> > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> > +present in our current vrsion 1.6.19
> > +
> > +Upstream-Status: Backport [
> https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
> ]
> > +CVE: CVE-2025-64329
> > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > +---
> > + pkg/cri/io/container_io.go | 14 +++++++++++---
> > + pkg/cri/server/container_attach.go | 2 +-
> > + 2 files changed, 12 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> > +index 70bc8b789..e1584100f 100644
> > +--- a/pkg/cri/io/container_io.go
> > ++++ b/pkg/cri/io/container_io.go
> > +@@ -17,6 +17,7 @@
> > + package io
> > +
> > + import (
> > ++ "context"
> > + "errors"
> > + "io"
> > + "strings"
> > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> > +
> > + // Attach attaches container stdio.
> > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> > +-func (c *ContainerIO) Attach(opts AttachOptions) {
> > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> > + var wg sync.WaitGroup
> > + key := util.GenerateID()
> > + stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> > + }
> > +
> > + attachStream := func(key string, close <-chan struct{}) {
> > +- <-close
> > +- logrus.Infof("Attach stream %q closed", key)
> > ++ select {
> > ++ case <-close:
> > ++ logrus.Infof("Attach stream %q closed", key)
> > ++ case <-ctx.Done():
> > ++ logrus.Infof("Attach client of %q cancelled", key)
> > ++ // Avoid writeGroup heap up
> > ++ c.stdoutGroup.Remove(key)
> > ++ c.stderrGroup.Remove(key)
> > ++ }
> > + // Make sure stdin gets closed.
> > + if stdinStreamRC != nil {
> > + stdinStreamRC.Close()
> > +diff --git a/pkg/cri/server/container_attach.go
> b/pkg/cri/server/container_attach.go
> > +index a95215051..3625229f9 100644
> > +--- a/pkg/cri/server/container_attach.go
> > ++++ b/pkg/cri/server/container_attach.go
> > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx
> context.Context, id string, stdin io.Re
> > + },
> > + }
> > + // TODO(random-liu): Figure out whether we need to support
> historical output.
> > +- cntr.IO.Attach(opts)
> > ++ cntr.IO.Attach(ctx, opts)
> > + return nil
> > + }
> > +--
> > +2.25.1
> > +
> > diff --git a/recipes-containers/containerd/
> containerd-opencontainers_git.bb b/recipes-containers/containerd/
> containerd-opencontainers_git.bb
> > index 264d37a6..05683d26 100644
> > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> > @@ -11,6 +11,7 @@ SRC_URI = "git://
> github.com/containerd/containerd;branch=release/1.6;protocol=ht
> > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch
> \
> > file://CVE-2024-40635.patch \
> > file://CVE-2024-25621.patch \
> > + file://CVE-2025-64329.patch \
> > "
> >
> > # Apache-2.0 for containerd
> > --
> > 2.25.1
> >
>
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#9437):
> https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
> [bruce.ashfield@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
[-- Attachment #2: Type: text/html, Size: 10116 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
2025-12-02 2:48 ` Vijay Anusuri
@ 2025-12-02 4:45 ` Bruce Ashfield
0 siblings, 0 replies; 6+ messages in thread
From: Bruce Ashfield @ 2025-12-02 4:45 UTC (permalink / raw)
To: Vijay Anusuri; +Cc: meta-virtualization
It looks like I also merged this one. I see it on the branch now
that I've looked.
Bruce
In message: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 02/12/2025 Vijay Anusuri wrote:
> Hi Bruce,
>
> Patch 1/2 (containerd-opencontainers: fix CVE-2024-25621) appears to have
> already been merged.
>
> Patch 1/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=
> kirkstone&id=9f4afbb21a91eab9917a25811f1d2ba7d223e071
> Patch 2/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=
> kirkstone&id=4da521b4440f57b10ba70091ee0e31b1085e665e
>
> Since the patches were merged, I wanted to confirm with you before resending
> them.
> If you would still like me to resend the patches, I can do so.
>
> Thanks & Regards,
> Vijay
>
> On Tue, Dec 2, 2025 at 6:41 AM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
>
> This patch says 2/2, but I can't find patch 1/2. What was the
> subject of 1/2 ? Or rather than just telling me the subject, if
> you resend it, that would be great.
>
> Bruce
>
> In message: [meta-virtualization][kirkstone][PATCH 2/2]
> containerd-opencontainers: fix CVE-2025-64329
> on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
>
> > From: Vijay Anusuri <vanusuri@mvista.com>
> >
> > Upstream-Status: Backport from https://github.com/containerd/containerd/
> commit/c575d1b5f4011f33b32f71ace75367a92b08c750
> >
> > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > ---
> > .../CVE-2025-64329.patch | 80 +++++++++++++++++++
> > .../containerd-opencontainers_git.bb | 1 +
> > 2 files changed, 81 insertions(+)
> > create mode 100644 recipes-containers/containerd/
> containerd-opencontainers/CVE-2025-64329.patch
> >
> > diff --git a/recipes-containers/containerd/containerd-opencontainers/
> CVE-2025-64329.patch b/recipes-containers/containerd/
> containerd-opencontainers/CVE-2025-64329.patch
> > new file mode 100644
> > index 00000000..a3cc5e85
> > --- /dev/null
> > +++ b/recipes-containers/containerd/containerd-opencontainers/
> CVE-2025-64329.patch
> > @@ -0,0 +1,80 @@
> > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> > +From: wheat2018 <1151937289@qq.com>
> > +Date: Tue, 13 Aug 2024 15:56:31 +0800
> > +Subject: [PATCH] fix goroutine leak of container Attach
> > +
> > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> > +never finish if it attaches to a container without any stdout or stderr
> > +output. Wait for http context cancel and break the pipe actively to
> > +address the issue.
> > +
> > +Signed-off-by: wheat2018 <1151937289@qq.com>
> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> > +
> > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> > +present in our current vrsion 1.6.19
> > +
> > +Upstream-Status: Backport [https://github.com/containerd/containerd/
> commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> > +CVE: CVE-2025-64329
> > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> > +---
> > + pkg/cri/io/container_io.go | 14 +++++++++++---
> > + pkg/cri/server/container_attach.go | 2 +-
> > + 2 files changed, 12 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> > +index 70bc8b789..e1584100f 100644
> > +--- a/pkg/cri/io/container_io.go
> > ++++ b/pkg/cri/io/container_io.go
> > +@@ -17,6 +17,7 @@
> > + package io
> > +
> > + import (
> > ++ "context"
> > + "errors"
> > + "io"
> > + "strings"
> > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> > +
> > + // Attach attaches container stdio.
> > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> > +-func (c *ContainerIO) Attach(opts AttachOptions) {
> > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> > + var wg sync.WaitGroup
> > + key := util.GenerateID()
> > + stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> > + }
> > +
> > + attachStream := func(key string, close <-chan struct{}) {
> > +- <-close
> > +- logrus.Infof("Attach stream %q closed", key)
> > ++ select {
> > ++ case <-close:
> > ++ logrus.Infof("Attach stream %q closed", key)
> > ++ case <-ctx.Done():
> > ++ logrus.Infof("Attach client of %q cancelled", key)
> > ++ // Avoid writeGroup heap up
> > ++ c.stdoutGroup.Remove(key)
> > ++ c.stderrGroup.Remove(key)
> > ++ }
> > + // Make sure stdin gets closed.
> > + if stdinStreamRC != nil {
> > + stdinStreamRC.Close()
> > +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/
> container_attach.go
> > +index a95215051..3625229f9 100644
> > +--- a/pkg/cri/server/container_attach.go
> > ++++ b/pkg/cri/server/container_attach.go
> > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx
> context.Context, id string, stdin io.Re
> > + },
> > + }
> > + // TODO(random-liu): Figure out whether we need to support
> historical output.
> > +- cntr.IO.Attach(opts)
> > ++ cntr.IO.Attach(ctx, opts)
> > + return nil
> > + }
> > +--
> > +2.25.1
> > +
> > diff --git a/recipes-containers/containerd/
> containerd-opencontainers_git.bb b/recipes-containers/containerd/
> containerd-opencontainers_git.bb
> > index 264d37a6..05683d26 100644
> > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> > @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;
> branch=release/1.6;protocol=ht
> > file://0001-build-don-t-use-gcflags-to-define-trimpath.patch
> \
> > file://CVE-2024-40635.patch \
> > file://CVE-2024-25621.patch \
> > + file://CVE-2025-64329.patch \
> > "
> >
> > # Apache-2.0 for containerd
> > --
> > 2.25.1
> >
>
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#9437): https://lists.yoctoproject.org/g/
> meta-virtualization/message/9437
> > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [
> bruce.ashfield@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-12-02 4:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-12-02 1:11 ` Bruce Ashfield
2025-12-02 2:48 ` Vijay Anusuri
2025-12-02 4:45 ` Bruce Ashfield
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.