XPost: linux.debian.devel.release
From: arnaudr@debian.org
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: containerd@packages.debian.org
Control: affects -1 + src:containerd
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Backport patch for CVE-2025-64329.
The previous upload 1.6.20~ds1-1+deb12u2 had a mistake in the changelog,
and while it fixed CVE-2024-40635, it claimed to have fixed
CVE-2025-64329.
This has been discussed with Maintainer and Security Team, the security
tracker had been updated [1], and Security Team confirmed that I should
proceed with an upload to bookworm-updates.
There's a bit of churn in this debdiff: on top of fixing CVE-2025-64329,
the changes also include:
- fix the _previous_ changelog entry
- rename a patch that fixes a CVE, for clarity
You can also see the changes on Salsa at [2], in case you find it easier
to see the Git history.
[1]: https://deb.freexian.com/extended-lts/tracker/source-package/containerd
[2]: https://salsa.debian.org/arnaudr/containerd/-/commits/debia
/bookworm?ref_type=heads
[ Impact ]
Impact of CVE-2025-64329 is that a malicious user can exhaust memory on
the host by exploiting a bug in the CRI Attach implementation (goroutine
leaks).
[ Tests ]
I didn't come up with a test to confirm the fix , but the patch (that
comes from upstream) applies rather cleany. I did test that there's no
regression (ie. attaching to a running container still works).
[ Risks ]
The patch is rather trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Backport patch for CVE-2025-64329: a malicious user can exhaust memory
on the host by exploiting a bug in the CRI Attach implementation
(goroutine leaks).
Fix previous changelog entry (1.6.20~ds1-1+deb12u2).
Rename a patch that fixes a CVE with the name of the CVE itself, for
clarity.
Best,
Arnaud
diff -Nru containerd-1.6.20~ds1/debian/changelog containerd-1.6.
0~ds1/debian/changelog
--- containerd-1.6.20~ds1/debian/changelog 2025-11-17 04:57:18.000000000 +0700
+++ containerd-1.6.20~ds1/debian/changelog 2026-02-12 10:30:28.000000000 +0700
@@ -1,9 +1,19 @@
-containerd (1.6.20~ds1-1+deb12u2) bookworm-security; urgency=medium
+containerd (1.6.20~ds1-1+deb12u3) bookworm; urgency=medium
- * Fix overly broad directory permissions, Fixes: CVE-2024-25621
+ * Non-maintainer upload.
+ * Rename Fix-directory-permissions patch for clarity
* Fix bug in the CRI Attach implementation, Fixes: CVE-2025-64329
Closes: #1120343
+ -- Arnaud Rebillout Thu, 12 Feb 2026 10:30:28 +0700
+
+containerd (1.6.20~ds1-1+deb12u2) bookworm-security; urgency=medium
+
+ * Fix overly broad directory permissions, Fixes: CVE-2024-25621
+ Closes: #1120285
+ * Fix large UID:GID (> 32bit) overflow, Fixes: CVE-2024-40635
+ Closes: #1100806
+
-- Reinhard Tartler Sun, 16 Nov 2025 16:57:18 -0500
containerd (1.6.20~ds1-1+deb12u1) bookworm; urgency=medium
diff -Nru containerd-1.6.20~ds1/debian/gbp.conf containerd-1.6.2
~ds1/debian/gbp.conf
--- containerd-1.6.20~ds1/debian/gbp.conf 2025-11-17 04:57:18.000000000 +0700
+++ containerd-1.6.20~ds1/debian/gbp.conf 2026-02-12 10:30:28.000000000 +0700
@@ -1,5 +1,5 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bookworm
upstream-branch = upstream/sid
dist = DEP14
diff -Nru containerd-1.6.20~ds1/debian/patches/0012-CVE-2024-25621.patch
containerd-1.6.20~ds1/debian/patches/0012-CVE-2024-25621.patch
--- containerd-1.6.20~ds1/debian/patches/0012-CVE-2024-25621.patch 1970-01-01
08:00:00.000000000 +0800
+++ containerd-1.6.20~ds1/debian/patches/0012-CVE-2024-25621.patch 2026-02-12
10:30:28.000000000 +0700
@@ -0,0 +1,95 @@
+From: Akihiro Suda
+Date: Mon, 27 Oct 2025 16:42:59 +0900
+Subject: Fix directory permissions
+
+- Create /var/lib/containerd with 0o700 (was: 0o711).
+- Create config.TempDir with 0o700 (was: 0o711).
+- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
+- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700
(was: 0o711).
+- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task
created with 0o711,
+ as required by userns-remapped containers.
+ /run/containerd/io.containerd.runtime.v2.task// is created with:
+ - 0o700 for non-userns-remapped containers
+ - 0o710 for userns-remapped containers with the remapped root group as the
owner group.
+
+Signed-off-by: Akihiro Suda
+(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
+Signed-off-by: Akihiro Suda
+---
+ pkg/cri/cri.go | 7 +++++++
+ runtime/v2/manager.go | 2 ++
+ services/server/server.go | 14 ++++++++++++--
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+Index: containerd/pkg/cri/cri.go
+===================================================================
+--- containerd.orig/pkg/cri/cri.go
++++ containerd/pkg/cri/cri.go
+@@ -19,6 +19,7 @@ package cri
+ import (
+ "flag"
+ "fmt"
++ "os"
+ "path/filepath"
+
+ "github.com/containerd/containerd"
+@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitConte
+ return nil, fmt.Errorf("invalid plugin config: %w", err)
+ }
+
++ if err := os.MkdirAll(ic.State, 0700); err != nil {
++ return nil, err
++ }
++ // chmod is needed for upgrading from an older release that created the dir
with 0755
++ if err := os.Chmod(ic.State, 0700); err != nil {
++ return nil, err
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
