crun: patch CVE-2025-24965

Pick commit https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2025-02-28 20:44:21 +0100
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-03-06 17:41:18 +0000
commit: 892ac5d34f0b903d146084a3c3f1234175332fcc (patch)
tree: 22a0ff8ec6c07d5e3a28e88b02e3fafc0744da22
parent: 79673f5c67b022e7aadeb231872470295e5b9188 (diff)
download: meta-virtualization-892ac5d34f0b903d146084a3c3f1234175332fcc.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch
new file mode 100644
index 00000000..8a8a8f64
--- /dev/null
+++ b/recipes-containers/crun/crun/CVE-2025-24965.patch
@@ -0,0 +1,45 @@
+From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001
+From: Giuseppe Scrivano <gscrivan@redhat.com>
+Date: Tue, 4 Feb 2025 10:19:07 +0100
+Subject: [PATCH] krun: fix CVE-2025-24965
+make sure the opened .krun_config.json is below the rootfs directory
+and we don't follow any symlink.
+Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
+CVE: CVE-2025-24965
+Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/libcrun/handlers/krun.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
+index 804a17cb..3c7766ba 100644
+--- a/src/libcrun/handlers/krun.c
+++ b/src/libcrun/handlers/krun.c
+@@ -43,6 +43,8 @@
+ /* libkrun has a hard-limit of 8 vCPUs per microVM. */
+ #define LIBKRUN_MAX_VCPUS 8
+ 
+#define KRUN_CONFIG_FILE ".krun_config.json"
+
+ struct krun_config
+ {
+   void *handle;
+@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
+       if (UNLIKELY (ret < 0))
+         return ret;
+ 
+-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
+      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
+         must ensure the file is opened below the rootfs directory.  */
+      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
+      if (UNLIKELY (fd < 0))
+        return fd;
+
+      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
+       if (UNLIKELY (ret < 0))
+         return ret;
+     }
diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb
index 89ba21b4..8d72e5f6 100644
--- a/recipes-containers/crun/crun_git.bb
+++ b/recipes-containers/crun/crun_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h
           git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \
           git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \
           git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \
+           file://CVE-2025-24965.patch \
          "
 PV = "v1.14.3+git${SRCREV_crun}"
author	Peter Marko <peter.marko@siemens.com>	2025-02-28 20:44:21 +0100
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-03-06 17:41:18 +0000
commit	892ac5d34f0b903d146084a3c3f1234175332fcc (patch)
tree	22a0ff8ec6c07d5e3a28e88b02e3fafc0744da22
parent	79673f5c67b022e7aadeb231872470295e5b9188 (diff)
download	meta-virtualization-892ac5d34f0b903d146084a3c3f1234175332fcc.tar.gz

diff --git a/recipes-containers/crun/crun/CVE-2025-24965.patch b/recipes-containers/crun/crun/CVE-2025-24965.patch new file mode 100644 index 00000000..8a8a8f64 --- /dev/null +++ b/recipes-containers/crun/crun/CVE-2025-24965.patch
@@ -0,0 +1,45 @@
		1	From 0aec82c2b686f0b1793deed43b46524fe2e8b5a7 Mon Sep 17 00:00:00 2001
		2	From: Giuseppe Scrivano <gscrivan@redhat.com>
		3	Date: Tue, 4 Feb 2025 10:19:07 +0100
		4	Subject: [PATCH] krun: fix CVE-2025-24965
		5
		6	make sure the opened .krun_config.json is below the rootfs directory
		7	and we don't follow any symlink.
		8
		9	Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
		10
		11	CVE: CVE-2025-24965
		12	Upstream-Status: Backport [https://github.com/containers/crun/commit/0aec82c2b686f0b1793deed43b46524fe2e8b5a7]
		13	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		14	---
		15	src/libcrun/handlers/krun.c \| 10 +++++++++-
		16	1 file changed, 9 insertions(+), 1 deletion(-)
		17
		18	diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
		19	index 804a17cb..3c7766ba 100644
		20	--- a/src/libcrun/handlers/krun.c
		21	+++ b/src/libcrun/handlers/krun.c
		22	@@ -43,6 +43,8 @@
		23	/* libkrun has a hard-limit of 8 vCPUs per microVM. */
		24	#define LIBKRUN_MAX_VCPUS 8
		25
		26	+#define KRUN_CONFIG_FILE ".krun_config.json"
		27	+
		28	struct krun_config
		29	{
		30	void *handle;
		31	@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
		32	if (UNLIKELY (ret < 0))
		33	return ret;
		34
		35	- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
		36	+ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We
		37	+ must ensure the file is opened below the rootfs directory. */
		38	+ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS \| O_NOFOLLOW, 0700, err);
		39	+ if (UNLIKELY (fd < 0))
		40	+ return fd;
		41	+
		42	+ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
		43	if (UNLIKELY (ret < 0))
		44	return ret;
		45	}


diff --git a/recipes-containers/crun/crun_git.bb b/recipes-containers/crun/crun_git.bb index 89ba21b4..8d72e5f6 100644 --- a/recipes-containers/crun/crun_git.bb +++ b/recipes-containers/crun/crun_git.bb
@@ -15,6 +15,7 @@ SRC_URI = "git://github.com/containers/crun.git;branch=main;name=crun;protocol=h
15	git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \	15	git://github.com/opencontainers/runtime-spec.git;branch=main;name=rspec;destsuffix=git/libocispec/runtime-spec;protocol=https \
16	git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \	16	git://github.com/opencontainers/image-spec.git;branch=main;name=ispec;destsuffix=git/libocispec/image-spec;protocol=https \
17	git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \	17	git://github.com/containers/yajl.git;branch=main;name=yajl;destsuffix=git/libocispec/yajl;protocol=https \
		18	file://CVE-2025-24965.patch \
18	"	19	"
19		20
20	PV = "v1.14.3+git${SRCREV_crun}"	21	PV = "v1.14.3+git${SRCREV_crun}"