From ea78333d003178a3ac678398a43432c1872bbf48 Mon Sep 17 00:00:00 2001
From: zhihang <zhihang161013@outlook.com>
Date: Mon, 10 Mar 2025 01:59:22 +0000
Subject: [PATCH] Fix CVE-2025-24965

---
 0001-CVE-2025-24965.patch | 41 +++++++++++++++++++++++++++++++++++++++
 crun.spec                 |  8 +++++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 0001-CVE-2025-24965.patch

diff --git a/0001-CVE-2025-24965.patch b/0001-CVE-2025-24965.patch
new file mode 100644
index 0000000..b15c78e
--- /dev/null
+++ b/0001-CVE-2025-24965.patch
@@ -0,0 +1,41 @@
+From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001
+From: zhihang <zhihang161013@outlook.com>
+Date: Fri, 7 Mar 2025 02:22:00 +0000
+Subject: [PATCH] CVE-2025-24965
+
+Signed-off-by: zhihang <zhihang161013@outlook.com>
+---
+ src/libcrun/handlers/krun.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
+index 0342a33..2437967 100644
+--- a/src/libcrun/handlers/krun.c
++++ b/src/libcrun/handlers/krun.c
+@@ -43,6 +43,8 @@
+ /* libkrun has a hard-limit of 8 vCPUs per microVM. */
+ #define LIBKRUN_MAX_VCPUS 8
+ 
++#define KRUN_CONFIG_FILE ".krun_config.json"
++
+ struct krun_config
+ {
+   void *handle;
+@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
+       if (UNLIKELY (ret < 0))
+         return ret;
+ 
+-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
++      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
++         must ensure the file is opened below the rootfs directory.  */
++      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
++      if (UNLIKELY (fd < 0))
++        return fd;
++
++      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
+       if (UNLIKELY (ret < 0))
+         return ret;
+     }
+-- 
+2.43.0
+
diff --git a/crun.spec b/crun.spec
index 76c87ed..1f5b2f5 100644
--- a/crun.spec
+++ b/crun.spec
@@ -1,8 +1,11 @@
 Name:            crun
 Version:         1.4.5
-Release:         1
+Release:         2
 Summary:         A fast and low-memory footprint OCI Container Runtime fully written in C.
 URL:             https://github.com/containers/%{name}
+
+Patch1: 	 0001-CVE-2025-24965.patch
+
 Source0:         https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz
 License:         GPLv2+ and LGPLv2.1+
 BuildRequires:   autoconf automake gcc python
@@ -42,6 +45,9 @@ rm -rf %{buildroot}%{_prefix}/lib*
 %{_mandir}/man1/*
 
 %changelog
+* Mon Mar 10 2025 zhihang <zhihang161013@outlook.com> - 1.4.5-2
+- Fix CVE-2025-24965
+
 * Wed Jul 20 2022 fushanqing <fushanqing@kylinos.cn> - 1.4.5-1
 - update to 1.4.5
 
-- 
Gitee