Skip to content

[Low] Patch kubernetes for CVE-2024-45310#14641

Open
SumitJenaHCL wants to merge 5 commits into
microsoft:mainfrom
SumitJenaHCL:v-smalavathu/kubernetes/CVE-2024-45310_2-kubernetes
Open

[Low] Patch kubernetes for CVE-2024-45310#14641
SumitJenaHCL wants to merge 5 commits into
microsoft:mainfrom
SumitJenaHCL:v-smalavathu/kubernetes/CVE-2024-45310_2-kubernetes

Conversation

@SumitJenaHCL
Copy link
Copy Markdown
Contributor

@SumitJenaHCL SumitJenaHCL commented Sep 10, 2025

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

What does the PR accomplish, why was it needed?
kubernetes: Patch for GHSA-jfvp-7x6p-h2pv

  1. Combined 2 Patch references.
    -- Taken Patches from NIST:
    -- opencontainers/runc@f0b652e,
    -- opencontainers/runc@8781993
  2. New Function syscallMode added from the Reference below:
    -- https://cs.opensource.google/go/go/+/refs/tags/go1.20.7:src/os/file_posix.go;l=61-75

Astrolabe Patch "opencontainers/runc#4359" is incorrect.

Change Log
  • SPECS/kubernetes/CVE-2024-45310.patch
  • SPECS/kubernetes/kubernetes.spec
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology
  • local build on my VM
  • Applied Patch successfully.

@SumitJenaHCL SumitJenaHCL requested a review from a team as a code owner September 10, 2025 06:35
@SumitJenaHCL SumitJenaHCL changed the title V smalavathu/kubernetes/CVE 2024 45310 2 kubernetes [Low] Patch kubernetes for CVE-2024-45310 Sep 10, 2025
@sallhms sallhms mentioned this pull request Sep 11, 2025
Closed
12 tasks
Sumynwa
Sumynwa reviewed Sep 24, 2025
View reviewed changes
Comment thread SPECS/kubernetes/CVE-2024-45310.patch
}
+
+// syscallMode returns the syscall-specific mode bits from Go's portable mode bits.
+func syscallMode(i fs.FileMode) (o uint32) {
Copy link
Copy Markdown
Contributor

@Sumynwa Sumynwa Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reference: opencontainers/runc@6092a4b

Copy link
Copy Markdown
Contributor Author

@SumitJenaHCL SumitJenaHCL Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reference added above as per earlier request in the previous PR,

Sumynwa
Sumynwa reviewed Sep 24, 2025
View reviewed changes
Comment thread SPECS/kubernetes/CVE-2024-45310.patch
- return err
- }
-
- if stat != nil {
Copy link
Copy Markdown
Contributor

@Sumynwa Sumynwa Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per GHSA-jfvp-7x6p-h2pv for Release-1.1, I don't see this change in any of the 2 patches:
opencontainers/runc@8781993, or
opencontainers/runc@f0b652e#diff-e0932af06cb46065b2ef5fc89bc2bd9b880c9578e01b89ef4ecaeffb78a8bef0

Please explain this.

Copy link
Copy Markdown
Contributor Author

@SumitJenaHCL SumitJenaHCL Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes are added in order to backport mountToRootfs from v1.1

Sumynwa
Sumynwa reviewed Sep 24, 2025
View reviewed changes
Comment thread SPECS/kubernetes/CVE-2024-45310.patch
+// Taken from <include/linux/proc_ns.h>. If a file is on a filesystem of type
+// PROC_SUPER_MAGIC, we're guaranteed that only the root of the superblock will
+// have this inode number.
+const procRootIno = 1
Copy link
Copy Markdown
Contributor

@Sumynwa Sumynwa Sep 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did we need this change? I understand that the function argument number has changed in the upstream patches.
Can you provide details of the commit from which we have taken these changes?

Copy link
Copy Markdown
Contributor Author

@SumitJenaHCL SumitJenaHCL Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes are added in order to backport getCgroupMounts from v1.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sumynwa Sumynwa Sumynwa left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

main PR Destined for main Packaging security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SumitJenaHCL @Sumynwa @Kanishk-Bansal @v-smalavathu