From: Peter Marko <[email protected]> Pick commit https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7
Signed-off-by: Peter Marko <[email protected]> --- .../crun/crun/CVE-2025-24965.patch | 45 +++++++++++++++++++ recipes-containers/crun/crun_git.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 recipes-containers/crun/crun/CVE-2025-24965.patch diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch new file mode 100644 index 00000000..8a8a8f64 --- /dev/null +++ b/recipes-containers/crun/crun/CVE-2025-24965.patch @@ -0,0 +1,45 @@ +From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano <[email protected]> +Date: Tue, 4 Feb 2025 10:19:07 +0100 +Subject: [PATCH] krun: fix CVE-2025-24965 + +make sure the opened .krun_config.json is below the rootfs directory +and we don't follow any symlink. + +Signed-off-by: Giuseppe Scrivano <[email protected]> + +CVE: CVE-2025-24965 +Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7] +Signed-off-by: Peter Marko <[email protected]> +--- + src/libcrun/handlers/krun.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c +index 804a17cb..3c7766ba 100644 +--- a/src/libcrun/handlers/krun.c ++++ b/src/libcrun/handlers/krun.c +@@ -43,6 +43,8 @@ + /* libkrun has a hard-limit of 8 vCPUs per microVM. */ + #define LIBKRUN_MAX_VCPUS 8 + ++#define KRUN_CONFIG_FILE ".krun_config.json" ++ + struct krun_config + { + void *handle; +@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase, + if (UNLIKELY (ret < 0)) + return ret; + +- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err); ++ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We ++ must ensure the file is opened below the rootfs directory. */ ++ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err); ++ if (UNLIKELY (fd < 0)) ++ return fd; ++ ++ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err); + if (UNLIKELY (ret < 0)) + return ret; + } diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb index 89ba21b4..8d72e5f6 100644 --- a/recipes-containers/crun/crun_git.bb +++ b/recipes-containers/crun/crun_git.bb @@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \ git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \ git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \ + file://CVE-2025-24965.patch \ " PV = "v1.14.3+git${SRCREV_crun}"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9152): https://lists.yoctoproject.org/g/meta-virtualization/message/9152 Mute This Topic: https://lists.yoctoproject.org/mt/111440786/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
