-
Notifications
You must be signed in to change notification settings - Fork 587
[Medium] Patch kata-containers for CVE-2025-4574 #13844
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Medium] Patch kata-containers for CVE-2025-4574 #13844
Conversation
Signed-off-by: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
@@ -39,7 +40,7 @@ Summary: Kata Containers tools package for building the UVM | |||
This package contains the scripts and files required to build the UVM | |||
|
|||
%prep | |||
%autosetup -p1 -n %{name}-%{version} | |||
%autosetup -p1 -a1 -n %{name}-%{version} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please check it if you want to do source unpacking twice? -a1
will do source untar and then below again tar -xf %{SOURCE1}
is done which will do decompress again. You may check and remove below one in case not needed. If that is not the case, then your CVE changes will be overwritten by below tar -xf
, you may need to apply patch properly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed the issue.
ok, how to verify that it unpacking twice?. Here the logs I verified from the RPM log file. |
It is unpacking twice, please remove the below one because you have already added
Verify and update PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
Patch kata-containers packaging to address CVE-2025-4574 and update release metadata.
- Bump Release from
1%{?dist}
to2%{?dist}
and update%autosetup
flags - Add
CVE-2025-4574.patch
to apply upstream Crossbeam fix - Update changelog with new patch entry
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
File | Description |
---|---|
SPECS/kata-containers/kata-containers.spec | Bumped release, enabled patch application, added patch and changelog entry |
SPECS/kata-containers/CVE-2025-4574.patch | Upstream Crossbeam fix swapping head.block to address CVE-2025-4574 |
@@ -112,6 +113,9 @@ popd | |||
%{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service | |||
|
|||
%changelog | |||
* Tue May 20 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The author name 'Sreeniavsulu' appears to be misspelled; it should match 'Sreenivasulu Malavathula' from the patch header.
* Tue May 20 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2 | |
* Tue May 20 2025 Sreenivasulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2 |
Copilot uses AI. Check for mistakes.
|
7f92b44
to
7fddbdc
Compare
@ms-mahuber We have this moderate CVE tagged by dependabot in our repo as well. |
@ms-mahuber We have this moderate CVE tagged by dependabot in our repo as well. |
In our kata containers sources, we seem to have rebased with upstream, and the crossbeam-channel dependency has been updated to 0.5.15. Will hold the PR for confirming. |
Yes, the relevant update is here: #14105 |
PR #14105 is upgrade to version '3.18.0.kata0' Shall we close this PR if this is not required. |
Yes, the upgrade will have the fix for the CVE in sources. |
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
Summary
kata-containers: Patch for CVE-2025-4574
Change Log
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology