-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch containerized-data-importer for CVE-2024-45338 (#11778)
Co-authored-by: jslobodzian <[email protected]>
- Loading branch information
1 parent
bd7017f
commit ee194d9
Showing
2 changed files
with
85 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a..bca3ae9 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 9da9e9d..e8515d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 038941d..cb012d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -18,7 +18,7 @@ | |
| Summary: Container native virtualization | ||
| Name: containerized-data-importer | ||
| Version: 1.55.0 | ||
| Release: 21%{?dist} | ||
| Release: 22%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -38,6 +38,7 @@ Patch1: CVE-2024-3727.patch | |
| Patch2: CVE-2022-41717.patch | ||
| Patch3: CVE-2022-32149.patch | ||
| Patch4: CVE-2024-28180.patch | ||
| Patch5: CVE-2024-45338.patch | ||
|
|
||
| %description | ||
| Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes | ||
|
|
@@ -205,6 +206,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m | |
| %{_datadir}/cdi/manifests | ||
|
|
||
| %changelog | ||
| * Mon Jan 06 2025 Sumedh Sharma <[email protected]> - 1.55.0-22 | ||
| - Add patch for CVE-2024-45338 | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.55.0-21 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||