summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/go
diff options
context:
space:
mode:
authorVivek Kumbhar <vkumbhar@mvista.com>2023-05-31 18:43:20 +0530
committerSteve Sakoman <steve@sakoman.com>2023-06-14 04:16:59 -1000
commit15f7694793aa90e882e623ff990903f1286b1260 (patch)
treef2d3bd816e8b7082c70b51f187fabe06d609b1d4 /meta/recipes-devtools/go
parent3c6eb3977334c414fbf0f9529e79c5d12ddf90d1 (diff)
downloadpoky-15f7694793aa90e882e623ff990903f1286b1260.tar.gz
go: fix CVE-2023-24539 html/template improper sanitization of CSS values
Angle brackets should not appear in CSS contexts, as they may affect token boundaries (such as closing a <style> tag, resulting in injection). Instead emit filterFailsafe, matching the behavior for other dangerous characters. Thanks to Juho Nurminen of Mattermost for reporting this issue. For #59720 Fixes #59811 Fixes CVE-2023-24539 (From OE-Core rev: 0a09194f3d4ad98d0cf0d070ec0c99e7a6c8a158) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/go')
-rw-r--r--meta/recipes-devtools/go/go-1.17.13.inc1
-rw-r--r--meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch53
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index e5e9d841c4..d430e0669d 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -31,6 +31,7 @@ SRC_URI += "\
31 file://CVE-2023-24534.patch \ 31 file://CVE-2023-24534.patch \
32 file://CVE-2023-24538.patch \ 32 file://CVE-2023-24538.patch \
33 file://CVE-2023-24540.patch \ 33 file://CVE-2023-24540.patch \
34 file://CVE-2023-24539.patch \
34" 35"
35SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" 36SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
36 37
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch
new file mode 100644
index 0000000000..fa19e18264
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch
@@ -0,0 +1,53 @@
1From e49282327b05192e46086bf25fd3ac691205fe80 Mon Sep 17 00:00:00 2001
2From: Roland Shoemaker <bracewell@google.com>
3Date: Thu, 13 Apr 2023 15:40:44 -0700
4Subject: [PATCH] [release-branch.go1.19] html/template: disallow angle
5 brackets in CSS values
6
7Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
8Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
9Reviewed-by: Julie Qiu <julieqiu@google.com>
10Run-TryBot: Roland Shoemaker <bracewell@google.com>
11Reviewed-by: Damien Neil <dneil@google.com>
12Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
13Run-TryBot: Damien Neil <dneil@google.com>
14Reviewed-by: Roland Shoemaker <bracewell@google.com>
15Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
16Run-TryBot: Carlos Amedee <carlos@golang.org>
17Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
18TryBot-Result: Gopher Robot <gobot@golang.org>
19
20Upstream-Status: Backport [https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80]
21CVE: CVE-2023-24539
22Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
23---
24 src/html/template/css.go | 2 +-
25 src/html/template/css_test.go | 2 ++
26 2 files changed, 3 insertions(+), 1 deletion(-)
27
28diff --git a/src/html/template/css.go b/src/html/template/css.go
29index 890a0c6b227fe..f650d8b3e843a 100644
30--- a/src/html/template/css.go
31+++ b/src/html/template/css.go
32@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
33 // inside a string that might embed JavaScript source.
34 for i, c := range b {
35 switch c {
36- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
37+ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
38 return filterFailsafe
39 case '-':
40 // Disallow <!-- or -->.
41diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
42index a735638b0314f..2b76256a766e9 100644
43--- a/src/html/template/css_test.go
44+++ b/src/html/template/css_test.go
45@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
46 {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
47 {`-expre\0000073sion`, "-expre\x073sion"},
48 {`@import url evil.css`, "ZgotmplZ"},
49+ {"<", "ZgotmplZ"},
50+ {">", "ZgotmplZ"},
51 }
52 for _, test := range tests {
53 got := cssValueFilter(test.css)