From b4fcff089ccc5d993b3c2213631e662743eb6d76 Mon Sep 17 00:00:00 2001 From: weiyucheng123 Date: Thu, 11 Dec 2025 09:39:10 +0800 Subject: [PATCH] fix CVE-2025-64329 --- 0010-fix-CVE-2025-64329.patch | 73 +++++++++++++++++++++++++++++++++++ k3s-containerd.spec | 9 ++++- 2 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 0010-fix-CVE-2025-64329.patch diff --git a/0010-fix-CVE-2025-64329.patch b/0010-fix-CVE-2025-64329.patch new file mode 100644 index 0000000..6800740 --- /dev/null +++ b/0010-fix-CVE-2025-64329.patch @@ -0,0 +1,73 @@ +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 +From: wheat2018 <1151937289@qq.com> +Date: Tue, 13 Aug 2024 15:56:31 +0800 +Subject: [PATCH] fix goroutine leak of container Attach + +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will +never finish if it attaches to a container without any stdout or stderr +output. Wait for http context cancel and break the pipe actively to +address the issue. + +Signed-off-by: wheat2018 <1151937289@qq.com> +Signed-off-by: Akihiro Suda +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) +Signed-off-by: Akihiro Suda +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/server/container_attach.go | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b7..e158410 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index a952150..3625229 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.43.0 + diff --git a/k3s-containerd.spec b/k3s-containerd.spec index 2e1adb5..9e17555 100644 --- a/k3s-containerd.spec +++ b/k3s-containerd.spec @@ -3,7 +3,7 @@ %global version_suffix k3s1 Version: 1.6.6 Name: k3s-containerd -Release: 12 +Release: 13 Summary: An industry-standard container runtime License: Apache-2.0 URL: https://github.com/k3s-io/containerd @@ -18,6 +18,7 @@ Patch0006: 0006-fix-CVE-2022-41723.patch Patch0007: 0007-fix-CVE-2024-24786.patch Patch0008: 0008-fix-CVE-2024-40635.patch Patch0009: 0009-fix-CVE-2024-25621.patch +Patch0010: 0010-fix-CVE-2025-64329.patch BuildRequires: golang glibc-static make btrfs-progs-devel @@ -78,6 +79,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib %changelog +* Wed Dec 10 2025 weiyucheng - 1.6.6-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2025-64329 + * Wed Dec 10 2025 weiyucheng - 1.6.6-12 - Type:bugfix - CVE:NA -- Gitee