[MEDIUM] Patch libvirt for CVE-2024-4418

[aninda-al]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Addresses libvirt CVE-2024-4418
Patch file: https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1

Change Log

• Added: SPECS/libvirt/CVE-2024-4418.patch
• Modified: SPECS/libvirt/libvirt.spec
• Fixes CVE: CVE-2024-4418

Does this affect the toolchain?

NO

Associated issues

• NA

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2024-4418

Test Methodology

• local build

[kgodara912]

Buddy build. Patch exactly matches with upstream reference.

[Kanishk-Bansal]

Please fix the License Check

[Kanishk-Bansal]

• Buddy Build
• patch applied during the build (check rpm.log) Patch applies cleanly
• patch include an upstream reference
• PR has security tag

[aninda-al]

Please fix the License Check

@Kanishk-Bansal I didn't quite get it, could you please throw some light, I don't see any license check failures. Thanks!

[Kanishk-Bansal]

LGTM

[0xba1a]

Waiting for @kgodara912 's review requested by @Kanishk-Bansal

[kgodara912]

This change is not correct as it will remove all the docs from docs rpm (size reduced from 2MB to 100kb), we will see how to use exclude and packages to properly get license and docs both.

[kgodara912]

Please wait for a suggestion for a proper fix.

[Kanishk-Bansal]

Fixing the license issue seems non-trivial for now. Let's keep this PR moving forward.

[kgodara912]

LGTM.