[AutoPR- Security] Patch kubevirt for CVE-2025-64324 [HIGH] (#15140)

Co-authored-by: akhila-guruju <v-guakhila@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/kubevirt/CVE-2025-64324.patch

@@ -0,0 +1,170 @@
+From fe271ce9c879d110d43d55ffb79c725bca8ed8f5 Mon Sep 17 00:00:00 2001
+From: Jed Lejosne <jed@redhat.com>
+Date: Wed, 25 Jun 2025 09:19:41 -0400
+Subject: [PATCH 1/2] host-path: only chown files we created
+
+Signed-off-by: Jed Lejosne <jed@redhat.com>
+
+From 977390fbff6c91ba53d494701bb937962acdfddd Mon Sep 17 00:00:00 2001
+From: Jed Lejosne <jed@redhat.com>
+Date: Tue, 1 Jul 2025 09:09:14 -0400
+Subject: [PATCH 2/2] tests: adjust host-path test according to previous fix
+
+Signed-off-by: Jed Lejosne <jed@redhat.com>
+
+Upstream Patch Reference: https://github.com/kubevirt/kubevirt/commit/00d03e43e3bf03e563136695a4732b65ed42d764.patch
+---
+ pkg/ephemeral-disk-utils/utils.go | 19 +++++++++++++++++--
+ pkg/host-disk/host-disk.go        | 14 +++++++-------
+ pkg/host-disk/host-disk_test.go   | 13 ++++++++++---
+ tests/storage/storage.go          | 20 ++++++++++++++++----
+ 4 files changed, 50 insertions(+), 16 deletions(-)
+
+diff --git a/pkg/ephemeral-disk-utils/utils.go b/pkg/ephemeral-disk-utils/utils.go
+index fc1a07b..863b267 100644
+--- a/pkg/ephemeral-disk-utils/utils.go
++++ b/pkg/ephemeral-disk-utils/utils.go
+@@ -44,14 +44,29 @@ func MockDefaultOwnershipManager() {
+ type nonOpManager struct {
+ }
+ 
+-func (no *nonOpManager) UnsafeSetFileOwnership(file string) error {
++func (no *nonOpManager) UnsafeSetFileOwnership(_ string) error {
+ 	return nil
+ }
+ 
+-func (no *nonOpManager) SetFileOwnership(file *safepath.Path) error {
++func (no *nonOpManager) SetFileOwnership(_ *safepath.Path) error {
+ 	return nil
+ }
+ 
++func MockDefaultOwnershipManagerWithFailure() {
++	DefaultOwnershipManager = &failureManager{}
++}
++
++type failureManager struct {
++}
++
++func (no *failureManager) UnsafeSetFileOwnership(_ string) error {
++	panic("unexpected call to UnsafeSetFileOwnership")
++}
++
++func (no *failureManager) SetFileOwnership(_ *safepath.Path) error {
++	panic("unexpected call to SetFileOwnership")
++}
++
+ type OwnershipManager struct {
+ 	user string
+ }
+diff --git a/pkg/host-disk/host-disk.go b/pkg/host-disk/host-disk.go
+index ca6893a..895006f 100644
+--- a/pkg/host-disk/host-disk.go
++++ b/pkg/host-disk/host-disk.go
+@@ -213,7 +213,7 @@ func (hdc *DiskImgCreator) setlessPVCSpaceToleration(toleration int) {
+ 	hdc.lessPVCSpaceToleration = toleration
+ }
+ 
+-func (hdc DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error {
++func (hdc *DiskImgCreator) Create(vmi *v1.VirtualMachineInstance) error {
+ 	for _, volume := range vmi.Spec.Volumes {
+ 		if hostDisk := volume.VolumeSource.HostDisk; shouldMountHostDisk(hostDisk) {
+ 			if err := hdc.mountHostDiskAndSetOwnership(vmi, volume.Name, hostDisk); err != nil {
+@@ -236,14 +236,14 @@ func (hdc *DiskImgCreator) mountHostDiskAndSetOwnership(vmi *v1.VirtualMachineIn
+ 		return err
+ 	}
+ 	if !fileExists {
+-		if err := hdc.handleRequestedSizeAndCreateSparseRaw(vmi, diskDir, diskPath, hostDisk); err != nil {
++		if err = hdc.handleRequestedSizeAndCreateSparseRaw(vmi, diskDir, diskPath, hostDisk); err != nil {
+ 			return err
+ 		}
+-	}
+-	// Change file ownership to the qemu user.
+-	if err := ephemeraldiskutils.DefaultOwnershipManager.UnsafeSetFileOwnership(diskPath); err != nil {
+-		log.Log.Reason(err).Errorf("Couldn't set Ownership on %s: %v", diskPath, err)
+-		return err
++		// Change file ownership to the qemu user.
++                if err = ephemeraldiskutils.DefaultOwnershipManager.UnsafeSetFileOwnership(diskPath); err != nil {
++                       log.Log.Reason(err).Errorf("Couldn't set Ownership on %s: %v", diskPath, err)
++                       return err
++                }
+ 	}
+ 	return nil
+ }
+diff --git a/pkg/host-disk/host-disk_test.go b/pkg/host-disk/host-disk_test.go
+index 184c0d8..57f3a26 100644
+--- a/pkg/host-disk/host-disk_test.go
++++ b/pkg/host-disk/host-disk_test.go
+@@ -35,13 +35,13 @@ import (
+ 	"k8s.io/client-go/kubernetes/fake"
+ 	"k8s.io/client-go/tools/record"
+ 
+-	"kubevirt.io/kubevirt/pkg/safepath"
+-
+ 	"kubevirt.io/client-go/api"
+ 
+ 	v1 "kubevirt.io/api/core/v1"
+ 	"kubevirt.io/client-go/kubecli"
+ 
++	ephemeraldiskutils "kubevirt.io/kubevirt/pkg/ephemeral-disk-utils"
++	"kubevirt.io/kubevirt/pkg/safepath"
+ 	"kubevirt.io/kubevirt/pkg/testutils"
+ )
+ 
+@@ -321,7 +321,14 @@ var _ = Describe("HostDisk", func() {
+ 			})
+ 		})
+ 		Context("With existing disk.img", func() {
+-			It("Should not re-create disk.img", func() {
++			AfterEach(func() {
++				By("Switching back to the regular mock ownership manager")
++				ephemeraldiskutils.MockDefaultOwnershipManager()
++			})
++
++			It("Should not re-create or chown disk.img", func() {
++				By("Switching to an ownership manager that panics when called")
++				ephemeraldiskutils.MockDefaultOwnershipManagerWithFailure()
+ 				By("Creating a disk.img before adding a HostDisk volume")
+ 				tmpDiskImg := createTempDiskImg("volume1")
+ 
+diff --git a/tests/storage/storage.go b/tests/storage/storage.go
+index 1ed1d86..5977e93 100644
+--- a/tests/storage/storage.go
++++ b/tests/storage/storage.go
+@@ -285,18 +285,30 @@ var _ = SIGDescribe("Storage", func() {
+ 
+ 					if storageEngine == "nfs" {
+ 						vmi = tests.RunVMIAndExpectLaunchIgnoreWarnings(vmi, 180)
+-					} else {
+-						vmi = tests.RunVMIAndExpectLaunch(vmi, 180)
+ 					}
++					if imageOwnedByQEMU {
++						vmi = tests.RunVMIAndExpectLaunch(vmi, 180)
+ 
+-					By(checkingVMInstanceConsoleOut)
+-					Expect(console.LoginToAlpine(vmi)).To(Succeed())
++						By(checkingVMInstanceConsoleOut)
++						Expect(console.LoginToAlpine(vmi)).To(Succeed())
++					} else {
++						By("Starting a VirtualMachineInstance")
++						createdVMI := tests.RunVMIAndExpectScheduling(vmi, 60)
++
++						By(fmt.Sprintf("Checking that VirtualMachineInstance start failed: starting at %v", time.Now()))
++						ctx, cancel := context.WithCancel(context.Background())
++						defer cancel()
++						event := watcher.New(createdVMI).Timeout(60*time.Second).SinceWatchedObjectResourceVersion().WaitFor(ctx, watcher.WarningEvent, "SyncFailed")
++						Expect(event.Message).To(ContainSubstring("Could not open '/var/run/kubevirt-private/vmi-disks/disk0/disk.img': Permission denied"), "VMI should not be started")
++					}
+ 				},
++
+ 					Entry("[test_id:3130]with Disk PVC", newRandomVMIWithPVC, "", nil, true),
+ 					Entry("[test_id:3131]with CDRom PVC", newRandomVMIWithCDRom, "", nil, true),
+ 					Entry("[test_id:4618]with NFS Disk PVC using ipv4 address of the NFS pod", newRandomVMIWithPVC, "nfs", k8sv1.IPv4Protocol, true),
+ 					Entry("[Serial]with NFS Disk PVC using ipv6 address of the NFS pod", Serial, newRandomVMIWithPVC, "nfs", k8sv1.IPv6Protocol, true),
+ 					Entry("[Serial]with NFS Disk PVC using ipv4 address of the NFS pod not owned by qemu", Serial, newRandomVMIWithPVC, "nfs", k8sv1.IPv4Protocol, false),
++					Entry("unless hostpath disk image file not owned by qemu", newRandomVMIWithPVC, false),
+ 				)
+ 			})
+ 
+-- 
+2.43.0
+

SPECS/kubevirt/kubevirt.spec

@@ -19,7 +19,7 @@
 Summary:        Container native virtualization
 Name:           kubevirt
 Version:        0.59.0
-Release:        30%{?dist}
+Release:        31%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -46,6 +46,7 @@ Patch13:        CVE-2023-48795.patch
 Patch14:        CVE-2024-51744.patch
 Patch15:        CVE-2025-22872.patch
 Patch16:        CVE-2024-33394.patch
+Patch17:        CVE-2025-64324.patch
 
 %global debug_package %{nil}
 BuildRequires:  glibc-devel
@@ -226,6 +227,9 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v
 %{_bindir}/virt-tests
 
 %changelog
+* Thu Nov 20 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.59.0-31
+- Patch for CVE-2025-64324
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 0.59.0-30
 - Bump release to rebuild with golang