From b3f5915db2c3d79208b7e3d54a650760a0f9bc56 Mon Sep 17 00:00:00 2001 From: zhihang Date: Fri, 7 Mar 2025 02:28:03 +0000 Subject: [PATCH 1/2] Fix CVE-2025-24965 --- 0002-CVE-2025-24965.patch | 41 +++++++++++++++++++++++++++++++++++++++ crun.spec | 6 +++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 0002-CVE-2025-24965.patch diff --git a/0002-CVE-2025-24965.patch b/0002-CVE-2025-24965.patch new file mode 100644 index 0000000..b15c78e --- /dev/null +++ b/0002-CVE-2025-24965.patch @@ -0,0 +1,41 @@ +From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001 +From: zhihang +Date: Fri, 7 Mar 2025 02:22:00 +0000 +Subject: [PATCH] CVE-2025-24965 + +Signed-off-by: zhihang +--- + src/libcrun/handlers/krun.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c +index 0342a33..2437967 100644 +--- a/src/libcrun/handlers/krun.c ++++ b/src/libcrun/handlers/krun.c +@@ -43,6 +43,8 @@ + /* libkrun has a hard-limit of 8 vCPUs per microVM. */ + #define LIBKRUN_MAX_VCPUS 8 + ++#define KRUN_CONFIG_FILE ".krun_config.json" ++ + struct krun_config + { + void *handle; +@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase, + if (UNLIKELY (ret < 0)) + return ret; + +- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err); ++ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We ++ must ensure the file is opened below the rootfs directory. */ ++ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err); ++ if (UNLIKELY (fd < 0)) ++ return fd; ++ ++ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err); + if (UNLIKELY (ret < 0)) + return ret; + } +-- +2.43.0 + diff --git a/crun.spec b/crun.spec index ac33ae0..6a3a3c6 100644 --- a/crun.spec +++ b/crun.spec @@ -1,10 +1,11 @@ Name: crun Version: 1.8.7 -Release: 3 +Release: 4 Summary: A fast and low-memory footprint OCI Container Runtime fully written in C. URL: https://github.com/containers/%{name} Patch1: 0001-tighten-check-in-check_fd_under_path.patch +Patch2: . 0002-CVE-2025-24965.patch Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz License: GPL-2.0-only @@ -57,6 +58,9 @@ rm -rf %{buildroot}%{_prefix}/lib* %{_mandir}/man1/* %changelog +* Fri Mar 7 2025 zhihang - 1.8.7-4 +- Fix CVE-2025-24965 + * Fri Jul 19 2024 zhangxingrong- - 1.8.7-3 - utils: tighten check in check_fd_under_path() -- Gitee From 6af860fb5c665882a35a0c58df0f4fef1e589a93 Mon Sep 17 00:00:00 2001 From: zhihang Date: Fri, 7 Mar 2025 02:34:33 +0000 Subject: [PATCH 2/2] update crun.spec. Signed-off-by: zhihang --- crun.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crun.spec b/crun.spec index 6a3a3c6..265153d 100644 --- a/crun.spec +++ b/crun.spec @@ -5,7 +5,7 @@ Summary: A fast and low-memory footprint OCI Container Runtime fully wri URL: https://github.com/containers/%{name} Patch1: 0001-tighten-check-in-check_fd_under_path.patch -Patch2: . 0002-CVE-2025-24965.patch +Patch2: 0002-CVE-2025-24965.patch Source0: https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz License: GPL-2.0-only -- Gitee