Message ID | 20230605032536.17282-1-asharma@mvista.com |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell] golang: Fix CVE-2023-24539 | expand |
This patch will not apply. Based on a quick inspection of your patch I suspect you are using an older version of dunfell. Please send a v2 based on the current dunfell head. Thanks! Steve On Sun, Jun 4, 2023 at 5:25 PM Ashish Sharma <asharma@mvista.com> wrote: > > Fixing of improper sanitization of CSS values in html/template > > Signed-off-by: Ashish Sharma <asharma@mvista.com> > --- > meta/recipes-devtools/go/go-1.14.inc | 1 + > .../go/go-1.14/CVE-2023-24539.patch | 60 +++++++++++++++++++ > 2 files changed, 61 insertions(+) > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > > diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc > index f7482f8458..228becdb23 100644 > --- a/meta/recipes-devtools/go/go-1.14.inc > +++ b/meta/recipes-devtools/go/go-1.14.inc > @@ -55,6 +55,7 @@ SRC_URI += "\ > file://CVE-2022-41715.patch \ > file://CVE-2022-41717.patch \ > file://CVE-2022-1962.patch \ > + file://CVE-2023-24539.patch \ > " > > SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > new file mode 100644 > index 0000000000..1b7d849c23 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > @@ -0,0 +1,60 @@ > +From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 > +From: Roland Shoemaker <bracewell@google.com> > +Date: Thu, 13 Apr 2023 15:40:44 -0700 > +Subject: [PATCH] html/template: disallow angle brackets in CSS values > + > +Angle brackets should not appear in CSS contexts, as they may affect > +token boundaries (such as closing a <style> tag, resulting in > +injection). Instead emit filterFailsafe, matching the behavior for other > +dangerous characters. > + > +Thanks to Juho Nurminen of Mattermost for reporting this issue. > + > +Fixes #59720 > +Fixes CVE-2023-24539 > + > +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 > +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 > +Reviewed-by: Julie Qiu <julieqiu@google.com> > +Run-TryBot: Roland Shoemaker <bracewell@google.com> > +Reviewed-by: Damien Neil <dneil@google.com> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 > +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> > +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> > +Run-TryBot: Carlos Amedee <carlos@golang.org> > +TryBot-Result: Gopher Robot <gobot@golang.org> > + > +Upstream-Status: Backport [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] > +CVE: CVE-2023-24539 > +Signed-off-by: Ashish Sharma <asharma@mvista.com> > +--- > + src/html/template/css.go | 2 +- > + src/html/template/css_test.go | 2 ++ > + 2 files changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/src/html/template/css.go b/src/html/template/css.go > +index 890a0c6b227fe..f650d8b3e843a 100644 > +--- a/src/html/template/css.go > ++++ b/src/html/template/css.go > +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { > + // inside a string that might embed JavaScript source. > + for i, c := range b { > + switch c { > +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': > ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': > + return filterFailsafe > + case '-': > + // Disallow <!-- or -->. > +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go > +index a735638b0314f..2b76256a766e9 100644 > +--- a/src/html/template/css_test.go > ++++ b/src/html/template/css_test.go > +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { > + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, > + {`-expre\0000073sion`, "-expre\x073sion"}, > + {`@import url evil.css`, "ZgotmplZ"}, > ++ {"<", "ZgotmplZ"}, > ++ {">", "ZgotmplZ"}, > + } > + for _, test := range tests { > + got := cssValueFilter(test.css) > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#182371): https://lists.openembedded.org/g/openembedded-core/message/182371 > Mute This Topic: https://lists.openembedded.org/mt/99333673/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index f7482f8458..228becdb23 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -55,6 +55,7 @@ SRC_URI += "\ file://CVE-2022-41715.patch \ file://CVE-2022-41717.patch \ file://CVE-2022-1962.patch \ + file://CVE-2023-24539.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch new file mode 100644 index 0000000000..1b7d849c23 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch @@ -0,0 +1,60 @@ +From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 13 Apr 2023 15:40:44 -0700 +Subject: [PATCH] html/template: disallow angle brackets in CSS values + +Angle brackets should not appear in CSS contexts, as they may affect +token boundaries (such as closing a <style> tag, resulting in +injection). Instead emit filterFailsafe, matching the behavior for other +dangerous characters. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #59720 +Fixes CVE-2023-24539 + +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] +CVE: CVE-2023-24539 +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/html/template/css.go | 2 +- + src/html/template/css_test.go | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/css.go b/src/html/template/css.go +index 890a0c6b227fe..f650d8b3e843a 100644 +--- a/src/html/template/css.go ++++ b/src/html/template/css.go +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { + // inside a string that might embed JavaScript source. + for i, c := range b { + switch c { +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': + return filterFailsafe + case '-': + // Disallow <!-- or -->. +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go +index a735638b0314f..2b76256a766e9 100644 +--- a/src/html/template/css_test.go ++++ b/src/html/template/css_test.go +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, + {`-expre\0000073sion`, "-expre\x073sion"}, + {`@import url evil.css`, "ZgotmplZ"}, ++ {"<", "ZgotmplZ"}, ++ {">", "ZgotmplZ"}, + } + for _, test := range tests { + got := cssValueFilter(test.css)
Fixing of improper sanitization of CSS values in html/template Signed-off-by: Ashish Sharma <asharma@mvista.com> --- meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2023-24539.patch | 60 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch