diff options
| author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-05-31 18:43:20 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-06-14 04:16:59 -1000 |
| commit | 15f7694793aa90e882e623ff990903f1286b1260 (patch) | |
| tree | f2d3bd816e8b7082c70b51f187fabe06d609b1d4 /meta/recipes-devtools/go | |
| parent | 3c6eb3977334c414fbf0f9529e79c5d12ddf90d1 (diff) | |
| download | poky-15f7694793aa90e882e623ff990903f1286b1260.tar.gz | |
go: fix CVE-2023-24539 html/template improper sanitization of CSS values
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720
Fixes #59811
Fixes CVE-2023-24539
(From OE-Core rev: 0a09194f3d4ad98d0cf0d070ec0c99e7a6c8a158)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go')
| -rw-r--r-- | meta/recipes-devtools/go/go-1.17.13.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch | 53 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index e5e9d841c4..d430e0669d 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc | |||
| @@ -31,6 +31,7 @@ SRC_URI += "\ | |||
| 31 | file://CVE-2023-24534.patch \ | 31 | file://CVE-2023-24534.patch \ |
| 32 | file://CVE-2023-24538.patch \ | 32 | file://CVE-2023-24538.patch \ |
| 33 | file://CVE-2023-24540.patch \ | 33 | file://CVE-2023-24540.patch \ |
| 34 | file://CVE-2023-24539.patch \ | ||
| 34 | " | 35 | " |
| 35 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" | 36 | SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" |
| 36 | 37 | ||
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch new file mode 100644 index 0000000000..fa19e18264 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch | |||
| @@ -0,0 +1,53 @@ | |||
| 1 | From e49282327b05192e46086bf25fd3ac691205fe80 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Roland Shoemaker <bracewell@google.com> | ||
| 3 | Date: Thu, 13 Apr 2023 15:40:44 -0700 | ||
| 4 | Subject: [PATCH] [release-branch.go1.19] html/template: disallow angle | ||
| 5 | brackets in CSS values | ||
| 6 | |||
| 7 | Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 | ||
| 8 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 | ||
| 9 | Reviewed-by: Julie Qiu <julieqiu@google.com> | ||
| 10 | Run-TryBot: Roland Shoemaker <bracewell@google.com> | ||
| 11 | Reviewed-by: Damien Neil <dneil@google.com> | ||
| 12 | Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496 | ||
| 13 | Run-TryBot: Damien Neil <dneil@google.com> | ||
| 14 | Reviewed-by: Roland Shoemaker <bracewell@google.com> | ||
| 15 | Reviewed-on: https://go-review.googlesource.com/c/go/+/491335 | ||
| 16 | Run-TryBot: Carlos Amedee <carlos@golang.org> | ||
| 17 | Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> | ||
| 18 | TryBot-Result: Gopher Robot <gobot@golang.org> | ||
| 19 | |||
| 20 | Upstream-Status: Backport [https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80] | ||
| 21 | CVE: CVE-2023-24539 | ||
| 22 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
| 23 | --- | ||
| 24 | src/html/template/css.go | 2 +- | ||
| 25 | src/html/template/css_test.go | 2 ++ | ||
| 26 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
| 27 | |||
| 28 | diff --git a/src/html/template/css.go b/src/html/template/css.go | ||
| 29 | index 890a0c6b227fe..f650d8b3e843a 100644 | ||
| 30 | --- a/src/html/template/css.go | ||
| 31 | +++ b/src/html/template/css.go | ||
| 32 | @@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { | ||
| 33 | // inside a string that might embed JavaScript source. | ||
| 34 | for i, c := range b { | ||
| 35 | switch c { | ||
| 36 | - case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': | ||
| 37 | + case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': | ||
| 38 | return filterFailsafe | ||
| 39 | case '-': | ||
| 40 | // Disallow <!-- or -->. | ||
| 41 | diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go | ||
| 42 | index a735638b0314f..2b76256a766e9 100644 | ||
| 43 | --- a/src/html/template/css_test.go | ||
| 44 | +++ b/src/html/template/css_test.go | ||
| 45 | @@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { | ||
| 46 | {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, | ||
| 47 | {`-expre\0000073sion`, "-expre\x073sion"}, | ||
| 48 | {`@import url evil.css`, "ZgotmplZ"}, | ||
| 49 | + {"<", "ZgotmplZ"}, | ||
| 50 | + {">", "ZgotmplZ"}, | ||
| 51 | } | ||
| 52 | for _, test := range tests { | ||
| 53 | got := cssValueFilter(test.css) | ||
