Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329

Yocto Meta Virtualization
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Vijay Anusuri <vanusuri@mvista.com>
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
Date: Mon, 1 Dec 2025 23:45:59 -0500	[thread overview]
Message-ID: <aS5vBydbPbyJW690@gmail.com> (raw)
In-Reply-To: <CANQUz19+66fM5nGVWzBR134c_VADBG5OKs_+fRXakY4bY0VpkQ@mail.gmail.com>

It looks like I also merged this one. I see it on the branch now
that I've looked.

Bruce

In message: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 02/12/2025 Vijay Anusuri wrote:

> Hi Bruce,
> 
> Patch 1/2 (containerd-opencontainers: fix CVE-2024-25621) appears to have
> already been merged.
> 
> Patch 1/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=
> kirkstone&id=9f4afbb21a91eab9917a25811f1d2ba7d223e071
> Patch 2/2 : https://git.yoctoproject.org/meta-virtualization/commit/?h=
> kirkstone&id=4da521b4440f57b10ba70091ee0e31b1085e665e
> 
> Since the patches were merged, I wanted to confirm with you before resending
> them.
> If you would still like me to resend the patches, I can do so.
> 
> Thanks & Regards,
> Vijay
> 
> On Tue, Dec 2, 2025 at 6:41 AM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
> 
>     This patch says 2/2, but I can't find patch 1/2. What was the
>     subject of 1/2 ? Or rather than just telling me the subject, if
>     you resend it, that would be great.
> 
>     Bruce
> 
>     In message: [meta-virtualization][kirkstone][PATCH 2/2]
>     containerd-opencontainers: fix CVE-2025-64329
>     on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> 
>     > From: Vijay Anusuri <vanusuri@mvista.com>
>     >
>     > Upstream-Status: Backport from https://github.com/containerd/containerd/
>     commit/c575d1b5f4011f33b32f71ace75367a92b08c750
>     >
>     > Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     > ---
>     >  .../CVE-2025-64329.patch                      | 80 +++++++++++++++++++
>     >  .../containerd-opencontainers_git.bb          |  1 +
>     >  2 files changed, 81 insertions(+)
>     >  create mode 100644 recipes-containers/containerd/
>     containerd-opencontainers/CVE-2025-64329.patch
>     >
>     > diff --git a/recipes-containers/containerd/containerd-opencontainers/
>     CVE-2025-64329.patch b/recipes-containers/containerd/
>     containerd-opencontainers/CVE-2025-64329.patch
>     > new file mode 100644
>     > index 00000000..a3cc5e85
>     > --- /dev/null
>     > +++ b/recipes-containers/containerd/containerd-opencontainers/
>     CVE-2025-64329.patch
>     > @@ -0,0 +1,80 @@
>     > +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
>     > +From: wheat2018 <1151937289@qq.com>
>     > +Date: Tue, 13 Aug 2024 15:56:31 +0800
>     > +Subject: [PATCH] fix goroutine leak of container Attach
>     > +
>     > +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
>     > +never finish if it attaches to a container without any stdout or stderr
>     > +output. Wait for http context cancel and break the pipe actively to
>     > +address the issue.
>     > +
>     > +Signed-off-by: wheat2018 <1151937289@qq.com>
>     > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
>     > +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
>     > +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
>     > +
>     > +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
>     > +present in our current vrsion 1.6.19
>     > +
>     > +Upstream-Status: Backport [https://github.com/containerd/containerd/
>     commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
>     > +CVE: CVE-2025-64329
>     > +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
>     > +---
>     > + pkg/cri/io/container_io.go         | 14 +++++++++++---
>     > + pkg/cri/server/container_attach.go |  2 +-
>     > + 2 files changed, 12 insertions(+), 4 deletions(-)
>     > +
>     > +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
>     > +index 70bc8b789..e1584100f 100644
>     > +--- a/pkg/cri/io/container_io.go
>     > ++++ b/pkg/cri/io/container_io.go
>     > +@@ -17,6 +17,7 @@
>     > + package io
>     > +
>     > + import (
>     > ++    "context"
>     > +     "errors"
>     > +     "io"
>     > +     "strings"
>     > +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
>     > +
>     > + // Attach attaches container stdio.
>     > + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
>     > +-func (c *ContainerIO) Attach(opts AttachOptions) {
>     > ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
>     > +     var wg sync.WaitGroup
>     > +     key := util.GenerateID()
>     > +     stdinKey := streamKey(c.id, "attach-"+key, Stdin)
>     > +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
>     > +     }
>     > +
>     > +     attachStream := func(key string, close <-chan struct{}) {
>     > +-            <-close
>     > +-            logrus.Infof("Attach stream %q closed", key)
>     > ++            select {
>     > ++            case <-close:
>     > ++                    logrus.Infof("Attach stream %q closed", key)
>     > ++            case <-ctx.Done():
>     > ++                    logrus.Infof("Attach client of %q cancelled", key)
>     > ++                    // Avoid writeGroup heap up
>     > ++                    c.stdoutGroup.Remove(key)
>     > ++                    c.stderrGroup.Remove(key)
>     > ++            }
>     > +             // Make sure stdin gets closed.
>     > +             if stdinStreamRC != nil {
>     > +                     stdinStreamRC.Close()
>     > +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/
>     container_attach.go
>     > +index a95215051..3625229f9 100644
>     > +--- a/pkg/cri/server/container_attach.go
>     > ++++ b/pkg/cri/server/container_attach.go
>     > +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx
>     context.Context, id string, stdin io.Re
>     > +             },
>     > +     }
>     > +     // TODO(random-liu): Figure out whether we need to support
>     historical output.
>     > +-    cntr.IO.Attach(opts)
>     > ++    cntr.IO.Attach(ctx, opts)
>     > +     return nil
>     > + }
>     > +--
>     > +2.25.1
>     > +
>     > diff --git a/recipes-containers/containerd/
>     containerd-opencontainers_git.bb b/recipes-containers/containerd/
>     containerd-opencontainers_git.bb
>     > index 264d37a6..05683d26 100644
>     > --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
>     > +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
>     > @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;
>     branch=release/1.6;protocol=ht
>     >             file://0001-build-don-t-use-gcflags-to-define-trimpath.patch
>     \
>     >             file://CVE-2024-40635.patch \
>     >             file://CVE-2024-25621.patch \
>     > +           file://CVE-2025-64329.patch \
>     >            "
>     > 
>     >  # Apache-2.0 for containerd
>     > --
>     > 2.25.1
>     >
> 
>     >
>     > -=-=-=-=-=-=-=-=-=-=-=-
>     > Links: You receive all messages sent to this group.
>     > View/Reply Online (#9437): https://lists.yoctoproject.org/g/
>     meta-virtualization/message/9437
>     > Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
>     > Group Owner: meta-virtualization+owner@lists.yoctoproject.org
>     > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [
>     bruce.ashfield@gmail.com]
>     > -=-=-=-=-=-=-=-=-=-=-=-
>     >
> 
>

next prev parent reply	other threads:[~2025-12-02  4:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-12-02  1:11   ` Bruce Ashfield
2025-12-02  2:48     ` Vijay Anusuri
2025-12-02  4:45       ` Bruce Ashfield [this message]
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS5vBydbPbyJW690@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=vanusuri@mvista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox