[Low] Patch kubernetes for CVE-2024-45310

[v-smalavathu]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

kubernetes: Patch for CVE-2024-45310

• CVE-2024-45310
  Patch Modified – Yes
  1. Combined 2 Patch references.
  -- Taken Patches from NIST:
  -- opencontainers/runc@f0b652e,
  -- opencontainers/runc@8781993
  2. New Function syscallMode added from the Reference below:
  -- https://cs.opensource.google/go/go/+/refs/tags/go1.20.7:src/os/file_posix.go;l=61-75

Astrolabe Patch "opencontainers/runc#4359" is incorrect.

Change Log

• new file: SPECS/kubernetes/CVE-2024-45310.patch
• modified: SPECS/kubernetes/kubernetes.spec

Does this affect the toolchain?

NO

Associated issues

• #xxxx

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-45310

Test Methodology

• local build on my VM

• Applied Patch successfully as shown below
  

• Pipeline build id: xxxx

[kgodara912]

Build build: 797166

[kgodara912]

Instead of putting reference here, you may also put this new function reference at the top with other references.

[v-smalavathu]

Yes, Done

[Kanishk-Bansal]

Investigate Build Failure

time="2025-06-04T16:46:19Z"` level=debug msg="+ /usr/lib/rpm/rpmuncompress /usr/src/mariner/SOURCES/CVE-2024-45310.patch" time="2025-06-04T16:46:19Z" level=debug msg="+ /bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f" time="2025-06-04T16:46:19Z" level=debug msg="/bin/patch: **** malformed patch at line 97: diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go" time="2025-06-04T16:46:19Z" level=debug

[v-smalavathu]

Investigate Build Failure

time="2025-06-04T16:46:19Z"` level=debug msg="+ /usr/lib/rpm/rpmuncompress /usr/src/mariner/SOURCES/CVE-2024-45310.patch" time="2025-06-04T16:46:19Z" level=debug msg="+ /bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f" time="2025-06-04T16:46:19Z" level=debug msg="/bin/patch: **** malformed patch at line 97: diff --git a/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go b/vendor/github.com/opencontainers/runc/libcontainer/rootfs_linux.go" time="2025-06-04T16:46:19Z" level=debug

It was successful that time, Here attaching build and test logs.
kubernetes-1.28.4-18.cm2.src.rpm.log
kubernetes-1.28.4-18.cm2.src.rpm.test.log

[v-smalavathu]

@Kanishk-Bansal,
Today, I rebased this PR to latest top of tree and tried to rebuild the package kubernetes from scratch.

Fixed build issues like "Mal function and tampered date in patch file" by re-generate patch file with current date and did changelog with current date. and now, the build is successful.

Here, the snapshots and logs attached.

kubernetes-1.28.4-19.cm2.src.rpm.log

kubernetes-1.28.4-19.cm2.src.rpm.test.log

Kindly let me know if I need to add something here.
-Thanks

[v-smalavathu]

@kgodara912,
Updated the patch analysis details.
-Thanks

[Kanishk-Bansal]

Buddy Build

[v-smalavathu]

Buddy Build

Just checked
Build is success
-Thanks

[Malateshk007]

@kgodara912, please provide your review on this.

[Malateshk007]

@kgodara912, please provide your review on this.
Gentle reminder!

[Malateshk007]

@cyberbandya007, gentle reminder for review!

[sandeepkarambelkar]

Hello @v-smalavathu, Can you merge the conflicts once so that I can run buddy build again.

[sallhms]

Need to close this PR in favor of PR #14641