[AUTO-CHERRYPICK] Patch cf-cli for CVE-2024-45338 - branch main (#11852)
Co-authored-by: Sumedh Alok Sharma <sumsharma@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot
GitHub
Родитель
af479ee657
Коммит
cb5331b673
|
|
@ -0,0 +1,80 @@
|
|||
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
|
||||
From: Roland Shoemaker <roland@golang.org>
|
||||
Date: Wed, 04 Dec 2024 09:35:55 -0800
|
||||
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
|
||||
|
||||
Instead of using strings.ToLower and == to check case insensitive
|
||||
equality, just use strings.EqualFold, even when the strings are only
|
||||
ASCII. This prevents us unnecessarily lowering extremely long strings,
|
||||
which can be a somewhat expensive operation, even if we're only
|
||||
attempting to compare equality with five characters.
|
||||
|
||||
Thanks to Guido Vranken for reporting this issue.
|
||||
|
||||
Fixes golang/go#70906
|
||||
Fixes CVE-2024-45338
|
||||
|
||||
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
Auto-Submit: Gopher Robot <gobot@golang.org>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
---
|
||||
vendor/golang.org/x/net/html/doctype.go | 2 +-
|
||||
vendor/golang.org/x/net/html/foreign.go | 3 +--
|
||||
vendor/golang.org/x/net/html/parse.go | 4 ++--
|
||||
3 files changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
|
||||
index c484e5a..bca3ae9 100644
|
||||
--- a/vendor/golang.org/x/net/html/doctype.go
|
||||
+++ b/vendor/golang.org/x/net/html/doctype.go
|
||||
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
|
||||
}
|
||||
}
|
||||
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
|
||||
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
|
||||
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
|
||||
quirks = true
|
||||
}
|
||||
}
|
||||
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
|
||||
index 9da9e9d..e8515d8 100644
|
||||
--- a/vendor/golang.org/x/net/html/foreign.go
|
||||
+++ b/vendor/golang.org/x/net/html/foreign.go
|
||||
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
|
||||
if n.Data == "annotation-xml" {
|
||||
for _, a := range n.Attr {
|
||||
if a.Key == "encoding" {
|
||||
- val := strings.ToLower(a.Val)
|
||||
- if val == "text/html" || val == "application/xhtml+xml" {
|
||||
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
|
||||
index 038941d..cb012d8 100644
|
||||
--- a/vendor/golang.org/x/net/html/parse.go
|
||||
+++ b/vendor/golang.org/x/net/html/parse.go
|
||||
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
|
||||
if p.tok.DataAtom == a.Input {
|
||||
for _, t := range p.tok.Attr {
|
||||
if t.Key == "type" {
|
||||
- if strings.ToLower(t.Val) == "hidden" {
|
||||
+ if strings.EqualFold(t.Val, "hidden") {
|
||||
// Skip setting framesetOK = false
|
||||
return true
|
||||
}
|
||||
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
|
||||
return inHeadIM(p)
|
||||
case a.Input:
|
||||
for _, t := range p.tok.Attr {
|
||||
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
|
||||
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
|
||||
p.addElement()
|
||||
p.oe.pop()
|
||||
return true
|
||||
--
|
||||
2.25.1
|
||||
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: The official command line client for Cloud Foundry.
|
||||
Name: cf-cli
|
||||
Version: 8.4.0
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
License: Apache-2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
|
@ -34,6 +34,7 @@ Patch2: CVE-2021-43565.patch
|
|||
# git checkout 434eadcdbc3b0256971992e8c70027278364c72c && git format-patch -1 HEAD
|
||||
Patch3: CVE-2022-32149.patch
|
||||
Patch4: CVE-2024-24786.patch
|
||||
Patch5: CVE-2024-45338.patch
|
||||
|
||||
BuildRequires: golang
|
||||
%global debug_package %{nil}
|
||||
|
|
@ -68,6 +69,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
|
|||
%{_bindir}/cf
|
||||
|
||||
%changelog
|
||||
* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 8.4.0-23
|
||||
- Add patch for CVE-2024-45338
|
||||
|
||||
* Wed Dec 04 2024 bhapathak <bhapathak@microsoft.com> - 8.4.0-22
|
||||
- Patch CVE-2024-24786
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче