[AUTO-CHERRYPICK] kubevirt: Add patch for CVE-2024-24786 - branch main (#9148)

Co-authored-by: Rohit Rawat <rohitrawat@microsoft.com>
Co-authored-by: Rohit Rawat <xordux@gmail.com>

Author: CBL-Mariner-Bot

SPECS/kubevirt/CVE-2024-24786.patch

@@ -0,0 +1,52 @@
+From 6d8650a5d365c3f80dcf3cd32681dc9c33a04f2d Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Thu, 16 May 2024 18:12:11 +0000
+Subject: [PATCH] protobuf-go: Fix CVE-2024-24786
+
+---
+ .../protobuf/encoding/protojson/well_known_types.go       | 8 ++++++++
+ .../protobuf/internal/encoding/json/decode.go             | 2 +-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 72924a9..95562c0 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
+ 				if err := d.skipJSONValue(); err != nil {
+ 					return err
+ 				}
++			case json.EOF:
++				// This can only happen if there's a bug in Decoder.Read.
++				// Avoid an infinite loop if this does happen.
++				return errors.New("unexpected EOF")
+ 			}
+ 		}
+ 
+@@ -341,6 +345,10 @@ func (d decoder) skipJSONValue() error {
+ 			case json.ArrayClose:
+ 				d.Read()
+ 				return nil
++			case json.EOF:
++				// This can only happen if there's a bug in Decoder.Read.
++				// Avoid an infinite loop if this does happen.
++				return errors.New("unexpected EOF")
+ 			default:
+ 				// Skip array item.
+ 				if err := d.skipJSONValue(); err != nil {
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.33.8
+

SPECS/kubevirt/kubevirt.spec

@@ -19,7 +19,7 @@
 Summary:        Container native virtualization
 Name:           kubevirt
 Version:        0.59.0
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,7 +36,8 @@ Patch3:         CVE-2023-44487.patch
 Patch4:         CVE-2024-21626.patch
 Patch5:         Hp-volume-pod-should-respect-blockdevices.patch
 Patch6:         CVE-2022-41723.patch
-Patch7:         CVE-2023-45288.patch
+Patch7:         CVE-2024-24786.patch
+Patch8:         CVE-2023-45288.patch
 %global debug_package %{nil}
 BuildRequires:  glibc-devel
 BuildRequires:  glibc-static >= 2.35-7%{?dist}
@@ -216,9 +217,12 @@ install -p -m 0644 cmd/virt-handler/nsswitch.conf %{buildroot}%{_datadir}/kube-v
 %{_bindir}/virt-tests
 
 %changelog
-* Thu Apr 18 2024 chrisgun@microsoft.com <chrisgun@microsoft.com> - 0.59.0-17
+* Thu Apr 18 2024 chrisgun@microsoft.com <chrisgun@microsoft.com> - 0.59.0-18
 - Fix for CVE-2023-45288
 
+* Fri May 17 2024 Rohit Rawat <rohitrawat@microsoft.com> - 0.59.0-17
+- Add patch for CVE-2024-24786
+
 * Mon May 06 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.59.0-16
 - Bump release to rebuild against glibc 2.35-7