Skip to content

[Medium] Patch kata-containers for CVE-2025-4574 #13844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

v-smalavathu
Copy link
Contributor

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

What does the PR accomplish, why was it needed?

Summary

kata-containers: Patch for CVE-2025-4574

Change Log
  • new file: SPECS/kata-containers/CVE-2025-4574.patch
  • modified: SPECS/kata-containers/kata-containers.spec
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • Pipeline build id: xxxx

Signed-off-by: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
@v-smalavathu v-smalavathu requested a review from a team as a code owner May 21, 2025 15:53
@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging 3.0-dev PRs Destined for AzureLinux 3.0 labels May 21, 2025
@@ -39,7 +40,7 @@ Summary: Kata Containers tools package for building the UVM
This package contains the scripts and files required to build the UVM

%prep
%autosetup -p1 -n %{name}-%{version}
%autosetup -p1 -a1 -n %{name}-%{version}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please check it if you want to do source unpacking twice? -a1 will do source untar and then below again tar -xf %{SOURCE1} is done which will do decompress again. You may check and remove below one in case not needed. If that is not the case, then your CVE changes will be overwritten by below tar -xf, you may need to apply patch properly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the issue.

@v-smalavathu
Copy link
Contributor Author

ok, how to verify that it unpacking twice?. Here the logs I verified from the RPM log file.
Here, attaching complete logs...
kata-containers-3.15.0.aks0-2.azl3.src.rpm.log
-Thanks

@kgodara912
Copy link
Contributor

It is unpacking twice, please remove the below one because you have already added -a1

pushd %{_builddir}/%{name}-%{version}
tar -xf %{SOURCE1}
popd

Verify and update PR.

@kgodara912 kgodara912 requested a review from Copilot May 26, 2025 12:38
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Patch kata-containers packaging to address CVE-2025-4574 and update release metadata.

  • Bump Release from 1%{?dist} to 2%{?dist} and update %autosetup flags
  • Add CVE-2025-4574.patch to apply upstream Crossbeam fix
  • Update changelog with new patch entry

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
SPECS/kata-containers/kata-containers.spec Bumped release, enabled patch application, added patch and changelog entry
SPECS/kata-containers/CVE-2025-4574.patch Upstream Crossbeam fix swapping head.block to address CVE-2025-4574

@@ -112,6 +113,9 @@ popd
%{tools_pkg}/tools/osbuilder/node-builder/azure-linux/agent-install/usr/lib/systemd/system/kata-agent.service

%changelog
* Tue May 20 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2
Copy link
Preview

Copilot AI May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The author name 'Sreeniavsulu' appears to be misspelled; it should match 'Sreenivasulu Malavathula' from the patch header.

Suggested change
* Tue May 20 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2
* Tue May 20 2025 Sreenivasulu Malavathula <v-smalavathu@microsoft.com> - 3.15.0.aks0-2

Copilot uses AI. Check for mistakes.

@v-smalavathu
Copy link
Contributor Author

It is unpacking twice, please remove the below one because you have already added -a1

pushd %{_builddir}/%{name}-%{version}
tar -xf %{SOURCE1}
popd

Verify and update PR.
Yes, fixed.
Uploaded new changes.
-Thanks

@v-smalavathu v-smalavathu force-pushed the v-smalavathu/kata-containers/CVE-2025-4574_3-kata-containers branch from 7f92b44 to 7fddbdc Compare May 27, 2025 18:59
@Sumynwa Sumynwa requested a review from a team June 17, 2025 05:03
@Sumynwa
Copy link
Contributor

Sumynwa commented Jun 17, 2025

@ms-mahuber We have this moderate CVE tagged by dependabot in our repo as well.
Please suggest if we still are fixing CVE in sources in 3.0.

@Sumynwa
Copy link
Contributor

Sumynwa commented Jun 17, 2025

@ms-mahuber We have this moderate CVE tagged by dependabot in our repo as well.
Please suggest if we still are fixing CVE in sources in 3.0.

@Sumynwa
Copy link
Contributor

Sumynwa commented Jun 26, 2025

In our kata containers sources, we seem to have rebased with upstream, and the crossbeam-channel dependency has been updated to 0.5.15. Will hold the PR for confirming.

@ms-mahuber
Copy link
Contributor

In our kata containers sources, we seem to have rebased with upstream, and the crossbeam-channel dependency has been updated to 0.5.15. Will hold the PR for confirming.

Yes, the relevant update is here: #14105

@v-smalavathu
Copy link
Contributor Author

In our kata containers sources, we seem to have rebased with upstream, and the crossbeam-channel dependency has been updated to 0.5.15. Will hold the PR for confirming.

Yes, the relevant update is here: #14105

PR #14105 is upgrade to version '3.18.0.kata0'

Shall we close this PR if this is not required.
-Thanks

@Sumynwa
Copy link
Contributor

Sumynwa commented Jul 8, 2025

In our kata containers sources, we seem to have rebased with upstream, and the crossbeam-channel dependency has been updated to 0.5.15. Will hold the PR for confirming.

Yes, the relevant update is here: #14105

PR #14105 is upgrade to version '3.18.0.kata0'

Shall we close this PR if this is not required. -Thanks

Yes, the upgrade will have the fix for the CVE in sources.

@durgajagadeesh
Copy link
Contributor

durgajagadeesh commented Jul 8, 2025

Hi @Sumynwa,
I have verified that this CVE fix is merged in the latest version(v3.18.0.kata0) And the PR number is #14105.

We don't need this PR anymore, so I'm closing it. Thank you!

@0xba1a 0xba1a closed this Jul 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
3.0-dev PRs Destined for AzureLinux 3.0 Packaging security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants