4 changed files with 8 additions and 83 deletions
--- a/0001-CVE-2025-24965.patch
+++ b/0001-CVE-2025-24965.patch
@ -1,41 +0,0 @@
-From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001
-From: zhihang <zhihang161013@outlook.com>
-Date: Fri, 7 Mar 2025 02:22:00 +0000
-Subject: [PATCH] CVE-2025-24965
-
-Signed-off-by: zhihang <zhihang161013@outlook.com>
---
- src/libcrun/handlers/krun.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
-index 0342a33..2437967 100644
--- a/src/libcrun/handlers/krun.c
-+++ b/src/libcrun/handlers/krun.c
-@@ -43,6 +43,8 @@
- /* libkrun has a hard-limit of 8 vCPUs per microVM. */
- #define LIBKRUN_MAX_VCPUS 8
- 
-+#define KRUN_CONFIG_FILE ".krun_config.json"
-+
- struct krun_config
- {
-   void *handle;
-@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
-       if (UNLIKELY (ret < 0))
-         return ret;
- 
-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
-+      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
-+         must ensure the file is opened below the rootfs directory.  */
-+      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
-+      if (UNLIKELY (fd < 0))
-+        return fd;
-+
-+      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
-       if (UNLIKELY (ret < 0))
-         return ret;
-     }
-- 
-2.43.0
-
--- a/crun-1.4.5.tar.xz
+++ b/crun-1.4.5.tar.xz
--- a/crun-1.8.7.tar.xz
+++ b/crun-1.8.7.tar.xz
--- a/crun.spec
+++ b/crun.spec
@ -1,31 +1,16 @@
 Name:            crun
-Version:         1.8.7
-Release:         3
+Version:         1.4.5
+Release:         1
 Summary:         A fast and low-memory footprint OCI Container Runtime fully written in C.
 URL:             https://github.com/containers/%{name}
-
-Patch1:          0001-CVE-2025-24965.patch
-
 Source0:         https://github.com/containers/crun/releases/download/%{version}/%{name}-%{version}.tar.xz
-License:         GPL-2.0-only
-BuildRequires:   autoconf
-BuildRequires:   automake
-BuildRequires:   gcc
-BuildRequires:   git-core
-BuildRequires:   gperf
-BuildRequires:   libcap-devel
-BuildRequires:   systemd-devel
-BuildRequires:   yajl-devel
-BuildRequires:   libseccomp-devel
-BuildRequires:   python3-libmount
-BuildRequires:   libtool
-BuildRequires:   protobuf-c-devel
-%ifnarch riscv64
-BuildRequires:   criu-devel
-Recommends:      criu
-Recommends:      criu-libs
+License:         GPLv2+ and LGPLv2.1+
+BuildRequires:   autoconf automake gcc python
+BuildRequires:   libcap-devel systemd-devel yajl-devel libseccomp-devel libselinux-devel
+BuildRequires:   libtool make glibc-static protobuf-c-devel
+%ifnarch %ix86
+BuildRequires: criu-devel >= 3.15
 %endif
-BuildRequires:   python3
 Provides:        oci-runtime

 %description
@ -57,25 +42,6 @@ rm -rf %{buildroot}%{_prefix}/lib*
 %{_mandir}/man1/*

 %changelog
-* Fri Mar 7 2025 zhihang <zhihang161013@outlook.com> - 1.8.7-3
- Fix CVE-2025-24965
-
-* Sun Apr 28 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.8.7-2
- Disable criu dependency for RISC-V as criu does not currently support RISC-V
-
-* Thu Apr 25 2024 lijian <lijian2@kylinos.cn> - 1.8.7-1
- update to 1.8.7
- crun: new command "crun features".
- linux: support io_priority from the OCI specs.
- cgroup: allow setting swap to 0.
- cgroup, systemd: set the memory limit on the system scope.
-
-* Wed Apr 17 2024 huayumeng <huayumeng@kylinos.cn> - 1.8.1-2
- readonlyPaths should inherit flags from parent mount
-
-* Wed May 10 2023 zmr_2020 <zhang_jian7@hoperun.com> - 1.8.1-1
- update to 1.8.1
-
 * Wed Jul 20 2022 fushanqing <fushanqing@kylinos.cn> - 1.4.5-1
 - update to 1.4.5