diff --git a/SPECS/kata-containers/CVE-2025-58354.patch b/SPECS/kata-containers/CVE-2025-58354.patch new file mode 100644 index 00000000000..1d0280cd440 --- /dev/null +++ b/SPECS/kata-containers/CVE-2025-58354.patch @@ -0,0 +1,30 @@ +From 40af51a885413377c0952a8bb4d766af87c736d1 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Mon, 29 Sep 2025 06:55:57 +0000 +Subject: [PATCH] initramfs: Enforce --panic-on-corruption for veritysetup + +Let's enforce an error on veritysetup in case there's any tampering with the rootfs. + +Signed-off-by: AllSpark +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/kata-containers/kata-containers/commit/3e67f92e34be974e792c153add76e4e4baac9de0.patch +--- + tools/packaging/static-build/initramfs/init.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/packaging/static-build/initramfs/init.sh b/tools/packaging/static-build/initramfs/init.sh +index 4b224280b7..3dca85dd7b 100755 +--- a/tools/packaging/static-build/initramfs/init.sh ++++ b/tools/packaging/static-build/initramfs/init.sh +@@ -32,7 +32,7 @@ hash_device=${root_device%?}2 + + if [ -e ${root_device} ] && [ -e ${hash_device} ] && [ "${rootfs_verifier}" = "dm-verity" ] + then +- veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}" ++ veritysetup open --panic-on-corruption "${root_device}" root "${hash_device}" "${rootfs_hash}" + mount /dev/mapper/root /mnt + else + echo "No LUKS device found" +-- +2.45.4 + diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec index a9ce6a490d8..22242626d31 100644 --- a/SPECS/kata-containers/kata-containers.spec +++ b/SPECS/kata-containers/kata-containers.spec @@ -39,7 +39,7 @@ Summary: Kata Containers Name: kata-containers Version: 3.2.0.azl2 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation URL: https://github.com/microsoft/kata-containers @@ -51,6 +51,7 @@ Patch0: CVE-2023-45288.patch Patch1: CVE-2023-39325.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2023-44487.patch +Patch4: CVE-2025-58354.patch BuildRequires: golang BuildRequires: git-core @@ -219,6 +220,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu %changelog +* Mon Sep 29 2025 Azure Linux Security Servicing Account - 3.2.0.azl2-8 +- Patch for CVE-2025-58354 + * Thu Sep 04 2025 Akhila Guruju - 3.2.0.azl-7 - Bump release to rebuild with golang