[kirkstone] go: fix CVE-2023-24540

Message ID	20230524052853.1666676-1-sakib.sajal@windriver.com
State	New, archived
Headers	show Return-Path: <sakib.sajal@windriver.com> ip: 205.220.178.238, mailfrom: prvs=45082ad12b=sakib.sajal@windriver.com) From: Sakib Sajal <sakib.sajal@windriver.com> To: openembedded-core@lists.openembedded.org Subject: [kirkstone][PATCH] go: fix CVE-2023-24540 Date: Wed, 24 May 2023 01:28:53 -0400 Message-Id: <20230524052853.1666676-1-sakib.sajal@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0
Series	[kirkstone] go: fix CVE-2023-24540 \| expand [kirkstone] go: fix CVE-2023-24540

Message ID

20230524052853.1666676-1-sakib.sajal@windriver.com

State

New, archived

Headers

From: Sakib Sajal <sakib.sajal@windriver.com>
To: openembedded-core@lists.openembedded.org
Subject: [kirkstone][PATCH] go: fix CVE-2023-24540
Date: Wed, 24 May 2023 01:28:53 -0400
Message-Id: <20230524052853.1666676-1-sakib.sajal@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 ybpcMbIuBJ83AZKc3WXA3EfGHrBcYnTofA4GU0EMcPQQXKyojODtSMiyHRlD03maQ2MSZxoXBEGEjIFC3b+7lHcAnfOFTWl4kJx/hEn2IEOJwGWy8m79bmKwnyG/I4XI63HZPVkbLr8iftKf3eT9W5ucncpY6pT4nKeTlDT2Roc34/qnbQGqeePfvtaHIJ4JOGvv1RuG7A+5Ar3IKNO2UhF/AW8rcgeAiLqAIfl79gM9AER7QqsVTJfVnEfabhPYvYhf7u8mmcgAP9atoNhPZuObwfDImEpIH0k43XpyXSw3Gbm6rmaMEmHHj5fqGBuGVGrD6KQkY3ioS3zBxQbqkgfEWerW4kXc7P00CgRwaBTUwDIk6frBLjC5qv0deIaREiydJR80lj9cuktC/8P6THWPztaO/4gKyPw7OL0oRBvT91XdCQ+oICLmb6A3GEozKFLvPbO184wNX3paK/qxRtNV6nczRZHXYPwqV4AoLwpCeWT8A16SuvZxEdAeWMUZXV/x6GyQjhetrnB3u6U8yyjucYuZi4j2LgTAwPLLy3b9fHtgjOasscw7+h5HDGAZY5ksEBesfkh8CvpKylq2Wdjd7H31zltKby21Vq1hhIK2r1w2bEs/ksZpgJNvtDPFOpRitKIP5XdDNcaBSr7UtlZk+kB78lhkSzJCaZ1iJf6dT803wAF0WW/CNdqfUcmmTMRbtX+/9M+MMJa0hWNPC8O+KvkLV3AGEnuctyZq9pe+YY5xEdRtjYDcoHdmfBwjoK6RhEeONYfibp/tGi8bAxuyBkScvEjrCnwPJclzyn2XwGrbJlNDFydUyFCD+ESdQn3sAYrb8ZhZ1bmVSNZIF62xTs/zidCyIarhl6XjWlBXpq5wpjM70StR9CpxSwuuRRPdxWWIASIFKOrbzSMJJOBxJwmTxL+YHESFE+gKi7tqBN41jZdX4d1rDZehn5O7plvmtjgom+X4SnXr8vCea+j90xAi9NtQ0qtfifAgSs0/23cnMqQAA17F/UMH0S47nVTg+5yyCfPwxj17P0zOFIroIrFyuaen2BrCs+grhJus5vQX+jc20haAb7JQ3EK1G5c19Pv4DSgoMNkLMXMgIMNEaJDsxZ7U/NpGkEeO9PSFEBS1Zu/772W1dTSCsrHug5vEeTAsXZyLNo1EpYHl9o+RyGN1H9Q7xuqvVBHbb8rDN5sK8tivq4TA7/C+7dg49mSHkp0uG4QALK+FD1o/kl8aRoVVHcUdHP4t+IyQVU8vChjdoBmtosNmVOc9dGc4NnOeuIgSJA3taglwnvT6eFzFp9vT0ywXv898SkKSf63cqkvrrkNTGRRkkw905aNCbmar8qWmqAqURFGRlX5TfL2kZEar9c+EBOHKZ2CaozZ3aybF7JoHNCAwwFrDhSpxfPNSOpitVZEpXp8Fcvq6lBpVdP2jYuO3c/MpossVawwKFA7deo52NSdpUJIatfc6lmK+6uLBinEzIFCt7tttAZXPDh9F7hEEI4yN+z/iywpeVInhlMDYbkV6B63u87qkmqSNjdShXLzf8XUOB3JwYCVmoiz3FSLeW7ygMfiqfbPbsErG+St/NVo6QkzbPKh0VTUEDTnhTLcgY8/lfY9XAA==
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 bdbd1dff-589e-4a48-6eab-08db5c17cfd8
X-MS-Exchange-CrossTenant-AuthSource: DM6PR11MB2538.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2023 05:29:14.6029
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 W106I2YJRBqLsKVSwJ0pXkObKX0oajccKx6ICFFIhXmb6OysQ4OPfFe4ew7qmP9BG0aWPy3LOQUrQB4pdoCD9YjZLU0xbJ1XoJUxU43Odpo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4850
X-Proofpoint-ORIG-GUID: MGGRh2Phfa1stemFTXNcYDtTwtGROTNq
X-Proofpoint-GUID: MGGRh2Phfa1stemFTXNcYDtTwtGROTNq
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26
 definitions=2023-05-24_02,2023-05-23_02,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 malwarescore=0
 mlxlogscore=999 priorityscore=1501 adultscore=0 lowpriorityscore=0
 mlxscore=0 suspectscore=0 bulkscore=0 clxscore=1015 spamscore=0
 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.12.0-2304280000 definitions=main-2305240045
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 24 May 2023 05:29:23 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/181657

Series

[kirkstone] go: fix CVE-2023-24540 | expand

Commit Message

Sakib Sajal May 24, 2023, 5:28 a.m. UTC

Backport from go-1.19:
html/template: handle all JS whitespace characters

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.19/CVE-2023-24540.patch           | 93 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch

Comments

Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) May 24, 2023, 1:59 p.m. UTC | #1

Hi Sakib,

Its good to have full URL link inside .patch file as below:
CVE: CVE-2023-24540
Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]


Its good have some information on CVE specifications in commit message:

go: Fix CVE-2023-24540

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-24540

Upstream patch:
https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go 1.19.9)

Thanks,
Sanjay


-----Original Message-----
Backport from go-1.19:
html/template: handle all JS whitespace characters

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.19/CVE-2023-24540.patch           | 93 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index d7cb47ebf4..e5e9d841c4 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -30,6 +30,7 @@ SRC_URI += "\
     file://CVE-2023-24537.patch \
     file://CVE-2023-24534.patch \
     file://CVE-2023-24538.patch \
+    file://CVE-2023-24540.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
new file mode 100644
index 0000000000..4ed9ba7096
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
@@ -0,0 +1,93 @@
+From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] html/template: handle all JS whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] 
+https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_E
+xpressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: 
+https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: 
+https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2023-24540
+Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go index 
+b888eaf..35994f0 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+ 
++// jsWhitespace contains all of the JS whitespace characters, as 
++defined // by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after 
+the  // given run of tokens starts a regular expression instead of a 
+division  // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // 
+https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++	// Trim all JS whitespace characters
++	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go 
+b/src/html/template/js_test.go index d7ee47b..8f5d76d 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
++		// Some JS interpreters treat NBSP as a normal space, so
++		// we must too in order to properly escape things.
++		{jsCtxRegexp, "=\u00A0"},
+ 	}
+ 
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+ 
+--
+2.40.0
+
--
2.40.0

Steve Sakoman May 24, 2023, 3:26 p.m. UTC | #2

On Wed, May 24, 2023 at 3:59 AM Sanjaykumar kantibhai Chitroda -X
(schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
<schitrod=cisco.com@lists.openembedded.org> wrote:
>
> Hi Sakib,
>
> Its good to have full URL link inside .patch file as below:
> CVE: CVE-2023-24540
> Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
>
>
> Its good have some information on CVE specifications in commit message:
>
> go: Fix CVE-2023-24540
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-24540
>
> Upstream patch:
> https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go 1.19.9)

I've taken the patch and made the above referenced changes, so no need for a v2.

Thanks for the patch and the review!

Steve

> -----Original Message-----
> Backport from go-1.19:
> html/template: handle all JS whitespace characters
>
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
>  meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
>  .../go/go-1.19/CVE-2023-24540.patch           | 93 +++++++++++++++++++
>  2 files changed, 94 insertions(+)
>  create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
>
> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
> index d7cb47ebf4..e5e9d841c4 100644
> --- a/meta/recipes-devtools/go/go-1.17.13.inc
> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> @@ -30,6 +30,7 @@ SRC_URI += "\
>      file://CVE-2023-24537.patch \
>      file://CVE-2023-24534.patch \
>      file://CVE-2023-24538.patch \
> +    file://CVE-2023-24540.patch \
>  "
>  SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>
> diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
> new file mode 100644
> index 0000000000..4ed9ba7096
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
> @@ -0,0 +1,93 @@
> +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001
> +From: Roland Shoemaker <bracewell@google.com>
> +Date: Tue, 11 Apr 2023 16:27:43 +0100
> +Subject: [PATCH] html/template: handle all JS whitespace characters
> +
> +Rather than just a small set. Character class as defined by \s [0].
> +
> +Thanks to Juho Nurminen of Mattermost for reporting this.
> +
> +For #59721
> +Fixes  #59813
> +Fixes CVE-2023-24540
> +
> +[0]
> +https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_E
> +xpressions/Character_Classes
> +
> +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
> +Reviewed-on:
> +https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
> +Reviewed-by: Julie Qiu <julieqiu@google.com>
> +Run-TryBot: Roland Shoemaker <bracewell@google.com>
> +Reviewed-by: Damien Neil <dneil@google.com>
> +Reviewed-on:
> +https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
> +Run-TryBot: Damien Neil <dneil@google.com>
> +Reviewed-by: Roland Shoemaker <bracewell@google.com>
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
> +Reviewed-by: Carlos Amedee <carlos@golang.org>
> +TryBot-Bypass: Carlos Amedee <carlos@golang.org>
> +Run-TryBot: Carlos Amedee <carlos@golang.org>
> +
> +CVE: CVE-2023-24540
> +Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797]
> +
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + src/html/template/js.go      |  8 +++++++-
> + src/html/template/js_test.go | 11 +++++++----
> + 2 files changed, 14 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/html/template/js.go b/src/html/template/js.go index
> +b888eaf..35994f0 100644
> +--- a/src/html/template/js.go
> ++++ b/src/html/template/js.go
> +@@ -13,6 +13,11 @@ import (
> +       "unicode/utf8"
> + )
> +
> ++// jsWhitespace contains all of the JS whitespace characters, as
> ++defined // by the \s character class.
> ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
> ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
> ++
> + // nextJSCtx returns the context that determines whether a slash after
> +the  // given run of tokens starts a regular expression instead of a
> +division  // operator: / or /=.
> +@@ -26,7 +31,8 @@ import (
> + // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
> + //
> +https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
> + func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
> +-      s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
> ++      // Trim all JS whitespace characters
> ++      s = bytes.TrimRight(s, jsWhitespace)
> +       if len(s) == 0 {
> +               return preceding
> +       }
> +diff --git a/src/html/template/js_test.go
> +b/src/html/template/js_test.go index d7ee47b..8f5d76d 100644
> +--- a/src/html/template/js_test.go
> ++++ b/src/html/template/js_test.go
> +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
> +               {jsCtxDivOp, "0"},
> +               // Dots that are part of a number are div preceders.
> +               {jsCtxDivOp, "0."},
> ++              // Some JS interpreters treat NBSP as a normal space, so
> ++              // we must too in order to properly escape things.
> ++              {jsCtxRegexp, "=\u00A0"},
> +       }
> +
> +       for _, test := range tests {
> +-              if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
> +-                      t.Errorf("want %s got %q", test.jsCtx, test.s)
> ++              if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
> ++                      t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
> +               }
> +-              if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
> +-                      t.Errorf("want %s got %q", test.jsCtx, test.s)
> ++              if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
> ++                      t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
> +               }
> +       }
> +
> +--
> +2.40.0
> +
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181673): https://lists.openembedded.org/g/openembedded-core/message/181673
> Mute This Topic: https://lists.openembedded.org/mt/99103273/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Sakib Sajal May 24, 2023, 3:42 p.m. UTC | #3

On 2023-05-24 11:26, Steve Sakoman wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On Wed, May 24, 2023 at 3:59 AM Sanjaykumar kantibhai Chitroda -X
> (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
> <schitrod=cisco.com@lists.openembedded.org> wrote:
>> Hi Sakib,
>>
>> Its good to have full URL link inside .patch file as below:
>> CVE: CVE-2023-24540
>> Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797]
>>
>>
>> Its good have some information on CVE specifications in commit message:
>>
>> go: Fix CVE-2023-24540
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-24540
>>
>> Upstream patch:
>> https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go 1.19.9)
> I've taken the patch and made the above referenced changes, so no need for a v2.
>
> Thanks for the patch and the review!
>
> Steve

Thanks for the feedback, I will incorporate the changes in the upcoming 
patches!

Sakib

>
>> -----Original Message-----
>> Backport from go-1.19:
>> html/template: handle all JS whitespace characters
>>
>> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
>> ---
>>   meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
>>   .../go/go-1.19/CVE-2023-24540.patch           | 93 +++++++++++++++++++
>>   2 files changed, 94 insertions(+)
>>   create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
>>
>> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
>> index d7cb47ebf4..e5e9d841c4 100644
>> --- a/meta/recipes-devtools/go/go-1.17.13.inc
>> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
>> @@ -30,6 +30,7 @@ SRC_URI += "\
>>       file://CVE-2023-24537.patch \
>>       file://CVE-2023-24534.patch \
>>       file://CVE-2023-24538.patch \
>> +    file://CVE-2023-24540.patch \
>>   "
>>   SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>>
>> diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
>> new file mode 100644
>> index 0000000000..4ed9ba7096
>> --- /dev/null
>> +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
>> @@ -0,0 +1,93 @@
>> +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001
>> +From: Roland Shoemaker <bracewell@google.com>
>> +Date: Tue, 11 Apr 2023 16:27:43 +0100
>> +Subject: [PATCH] html/template: handle all JS whitespace characters
>> +
>> +Rather than just a small set. Character class as defined by \s [0].
>> +
>> +Thanks to Juho Nurminen of Mattermost for reporting this.
>> +
>> +For #59721
>> +Fixes  #59813
>> +Fixes CVE-2023-24540
>> +
>> +[0]
>> +https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_E
>> +xpressions/Character_Classes
>> +
>> +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
>> +Reviewed-on:
>> +https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
>> +Reviewed-by: Julie Qiu <julieqiu@google.com>
>> +Run-TryBot: Roland Shoemaker <bracewell@google.com>
>> +Reviewed-by: Damien Neil <dneil@google.com>
>> +Reviewed-on:
>> +https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
>> +Run-TryBot: Damien Neil <dneil@google.com>
>> +Reviewed-by: Roland Shoemaker <bracewell@google.com>
>> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
>> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
>> +Reviewed-by: Carlos Amedee <carlos@golang.org>
>> +TryBot-Bypass: Carlos Amedee <carlos@golang.org>
>> +Run-TryBot: Carlos Amedee <carlos@golang.org>
>> +
>> +CVE: CVE-2023-24540
>> +Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797]
>> +
>> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
>> +---
>> + src/html/template/js.go      |  8 +++++++-
>> + src/html/template/js_test.go | 11 +++++++----
>> + 2 files changed, 14 insertions(+), 5 deletions(-)
>> +
>> +diff --git a/src/html/template/js.go b/src/html/template/js.go index
>> +b888eaf..35994f0 100644
>> +--- a/src/html/template/js.go
>> ++++ b/src/html/template/js.go
>> +@@ -13,6 +13,11 @@ import (
>> +       "unicode/utf8"
>> + )
>> +
>> ++// jsWhitespace contains all of the JS whitespace characters, as
>> ++defined // by the \s character class.
>> ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
>> ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
>> ++
>> + // nextJSCtx returns the context that determines whether a slash after
>> +the  // given run of tokens starts a regular expression instead of a
>> +division  // operator: / or /=.
>> +@@ -26,7 +31,8 @@ import (
>> + // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
>> + //
>> +https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
>> + func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
>> +-      s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
>> ++      // Trim all JS whitespace characters
>> ++      s = bytes.TrimRight(s, jsWhitespace)
>> +       if len(s) == 0 {
>> +               return preceding
>> +       }
>> +diff --git a/src/html/template/js_test.go
>> +b/src/html/template/js_test.go index d7ee47b..8f5d76d 100644
>> +--- a/src/html/template/js_test.go
>> ++++ b/src/html/template/js_test.go
>> +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
>> +               {jsCtxDivOp, "0"},
>> +               // Dots that are part of a number are div preceders.
>> +               {jsCtxDivOp, "0."},
>> ++              // Some JS interpreters treat NBSP as a normal space, so
>> ++              // we must too in order to properly escape things.
>> ++              {jsCtxRegexp, "=\u00A0"},
>> +       }
>> +
>> +       for _, test := range tests {
>> +-              if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
>> +-                      t.Errorf("want %s got %q", test.jsCtx, test.s)
>> ++              if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
>> ++                      t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
>> +               }
>> +-              if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
>> +-                      t.Errorf("want %s got %q", test.jsCtx, test.s)
>> ++              if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
>> ++                      t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
>> +               }
>> +       }
>> +
>> +--
>> +2.40.0
>> +
>> --
>> 2.40.0
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#181673): https://lists.openembedded.org/g/openembedded-core/message/181673
>> Mute This Topic: https://lists.openembedded.org/mt/99103273/3620601
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index d7cb47ebf4..e5e9d841c4 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -30,6 +30,7 @@  SRC_URI += "\
     file://CVE-2023-24537.patch \
     file://CVE-2023-24534.patch \
     file://CVE-2023-24538.patch \
+    file://CVE-2023-24540.patch \
 "
 SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
new file mode 100644
index 0000000000..4ed9ba7096
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch
@@ -0,0 +1,93 @@ 
+From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] html/template: handle all JS whitespace characters
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+TryBot-Bypass: Carlos Amedee <carlos@golang.org>
+Run-TryBot: Carlos Amedee <carlos@golang.org>
+
+CVE: CVE-2023-24540
+Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797]
+
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index b888eaf..35994f0 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+ 
++// jsWhitespace contains all of the JS whitespace characters, as defined
++// by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++	// Trim all JS whitespace characters
++	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index d7ee47b..8f5d76d 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
++		// Some JS interpreters treat NBSP as a normal space, so
++		// we must too in order to properly escape things.
++		{jsCtxRegexp, "=\u00A0"},
+ 	}
+ 
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+ 
+-- 
+2.40.0
+

[kirkstone] go: fix CVE-2023-24540

Commit Message

Comments

Patch