diff --git a/0001-add-patch-to-fix-CVE-2024-25621.patch b/0001-add-patch-to-fix-CVE-2024-25621.patch new file mode 100644 index 0000000000000000000000000000000000000000..61cd39b0efb1fd98aa065bb76e750fe0c51bb28c --- /dev/null +++ b/0001-add-patch-to-fix-CVE-2024-25621.patch @@ -0,0 +1,103 @@ +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001 +From: Akihiro Suda +Date: Mon, 27 Oct 2025 16:42:59 +0900 +Subject: [PATCH] Fix directory permissions + +- Create /var/lib/containerd with 0o700 (was: 0o711). +- Create config.TempDir with 0o700 (was: 0o711). +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755). +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711). +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711, + as required by userns-remapped containers. + /run/containerd/io.containerd.runtime.v2.task// is created with: + - 0o700 for non-userns-remapped containers + - 0o710 for userns-remapped containers with the remapped root group as the owner group. + +Signed-off-by: Akihiro Suda +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96) +Signed-off-by: Akihiro Suda + +--- + pkg/cri/cri.go | 9 +++++++++ + runtime/v2/manager.go | 2 ++ + services/server/server.go | 15 ++++++++++++--- + 3 files changed, 23 insertions(+), 3 deletions(-) + +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go +index 76fa3c0..545252e 100644 +--- a/pkg/cri/cri.go ++++ b/pkg/cri/cri.go +@@ -19,6 +19,7 @@ package cri + import ( + "flag" + "fmt" ++ "os" + "path/filepath" + + imagespec "github.com/opencontainers/image-spec/specs-go/v1" +@@ -80,6 +81,14 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) { + } + } + ++ if err := os.MkdirAll(ic.State, 0700); err != nil { ++ return nil, err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0755 ++ if err := os.Chmod(ic.State, 0700); err != nil { ++ return nil, err ++ } ++ + c := criconfig.Config{ + PluginConfig: *pluginConfig, + ContainerdRootDir: filepath.Dir(ic.Root), +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go +index 21ed607..07cff1f 100644 +--- a/runtime/v2/manager.go ++++ b/runtime/v2/manager.go +@@ -109,6 +109,8 @@ type ManagerConfig struct { + // NewShimManager creates a manager for v2 shims + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) { + for _, d := range []string{config.Root, config.State} { ++ // root: the parent of this directory is created as 0700, not 0711. ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers. + if err := os.MkdirAll(d, 0711); err != nil { + return nil, err + } +diff --git a/services/server/server.go b/services/server/server.go +index 358c8c4..f25361b 100644 +--- a/services/server/server.go ++++ b/services/server/server.go +@@ -88,10 +88,15 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + return errors.New("root and state must be different paths") + } + +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil { + return err + } +- ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { ++ return err ++ } ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700. ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits. + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil { + return err + } +@@ -106,7 +111,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error { + } + + if config.TempDir != "" { +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil { ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil { ++ return err ++ } ++ // chmod is needed for upgrading from an older release that created the dir with 0o711 ++ if err := os.Chmod(config.Root, 0700); err != nil { + return err + } + if runtime.GOOS == "windows" { +-- +2.47.3 + diff --git a/containerd.spec b/containerd.spec index c893afcc3d08f9d7886ca517df93f5d952fe207a..dd5d8b60a6ffd9380b3fa16749be94f37d542ba1 100644 --- a/containerd.spec +++ b/containerd.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %bcond_without check @@ -13,6 +13,8 @@ URL: https://github.com/containerd/containerd Source0: https://github.com/containerd/containerd/archive/refs/tags/v%{version}.tar.gz Source1: containerd.service Source2: containerd.toml +# https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f +Patch0001: 0001-add-patch-to-fix-CVE-2024-25621.patch BuildRequires: btrfs-progs-devel systemd-rpm-macros go-md2man Requires: runc @@ -40,6 +42,7 @@ The %{name}-doc package contains documentation files for %{name}. %goprep -k # Used only for generation: rm -rf cmd/protoc-gen-gogoctrd +%patch001 -p1 %build export LDFLAGS="-X %{goipath}/version.Version=%{version} " @@ -100,6 +103,9 @@ install -D -p -m 0644 %{S:2} %{buildroot}%{_sysconfdir}/containerd/config.toml %doc code-of-conduct.md BUILDING.md %changelog +* Thu Nov 20 2025 lzq11122 - 1.6.38-2 +- Add patch to fix CVE-2024-25621 + * Thu Jul 10 2025 mgb01105731 - 1.6.38-1 - Update to 1.6.38 to fix CVE-2024-40635 - Delete patch as the content already exists