fix CVE-2023-3978
This commit is contained in:
bwzhang
parent
b2bd47b14a
commit
f06ff907f1
85
0002-fix-CVE-2023-3978.patch
Normal file
85
0002-fix-CVE-2023-3978.patch
Normal file
@ -0,0 +1,85 @@
|
||||
From 68b7c3ea0659978cf70ed592a73b2b5c2e0632e1 Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Sun, 28 Apr 2024 10:46:26 +0800
|
||||
Subject: [PATCH] fix CVE-2023-3978
|
||||
|
||||
html: only render content literally in the HTML namespace
|
||||
|
||||
Per the WHATWG HTML specification, section 13.3, only append the literal
|
||||
content of a text node if we are in the HTML namespace.
|
||||
|
||||
Thanks to Mohammad Thoriq Aziz for reporting this issue.
|
||||
|
||||
Fixes golang/go#61615
|
||||
Fixes CVE-2023-3978
|
||||
|
||||
Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Run-TryBot: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
---
|
||||
.../vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++---
|
||||
1 file changed, 24 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
|
||||
index d34564f..5914410 100644
|
||||
--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
|
||||
+++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
|
||||
@@ -191,9 +191,8 @@ func render1(w writer, n *Node) error {
|
||||
}
|
||||
}
|
||||
|
||||
- // Render any child nodes.
|
||||
- switch n.Data {
|
||||
- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
|
||||
+ // Render any child nodes
|
||||
+ if childTextNodesAreLiteral(n) {
|
||||
for c := n.FirstChild; c != nil; c = c.NextSibling {
|
||||
if c.Type == TextNode {
|
||||
if _, err := w.WriteString(c.Data); err != nil {
|
||||
@@ -210,7 +209,7 @@ func render1(w writer, n *Node) error {
|
||||
// last element in the file, with no closing tag.
|
||||
return plaintextAbort
|
||||
}
|
||||
- default:
|
||||
+ } else {
|
||||
for c := n.FirstChild; c != nil; c = c.NextSibling {
|
||||
if err := render1(w, c); err != nil {
|
||||
return err
|
||||
@@ -228,6 +227,27 @@ func render1(w writer, n *Node) error {
|
||||
return w.WriteByte('>')
|
||||
}
|
||||
|
||||
+func childTextNodesAreLiteral(n *Node) bool {
|
||||
+ // Per WHATWG HTML 13.3, if the parent of the current node is a style,
|
||||
+ // script, xmp, iframe, noembed, noframes, or plaintext element, and the
|
||||
+ // current node is a text node, append the value of the node's data
|
||||
+ // literally. The specification is not explicit about it, but we only
|
||||
+ // enforce this if we are in the HTML namespace (i.e. when the namespace is
|
||||
+ // "").
|
||||
+ // NOTE: we also always include noscript elements, although the
|
||||
+ // specification states that they should only be rendered as such if
|
||||
+ // scripting is enabled for the node (which is not something we track).
|
||||
+ if n.Namespace != "" {
|
||||
+ return false
|
||||
+ }
|
||||
+ switch n.Data {
|
||||
+ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
|
||||
+ return true
|
||||
+ default:
|
||||
+ return false
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
// writeQuoted writes s to w surrounded by quotes. Normally it will use double
|
||||
// quotes, but if s contains a double quote, it will use single quotes.
|
||||
// It is used for writing the identifiers in a doctype declaration.
|
||||
--
|
||||
2.20.1
|
||||
|
||||
10
podman.spec
10
podman.spec
@ -2,7 +2,7 @@
|
||||
|
||||
Name: podman
|
||||
Version: 4.9.4
|
||||
Release: 5
|
||||
Release: 6
|
||||
Summary: A tool for managing OCI containers and pods.
|
||||
Epoch: 1
|
||||
License: Apache-2.0 and MIT
|
||||
@ -14,6 +14,7 @@ Source3: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.ta
|
||||
Patch0: 0001-podman-4.9.4-add-support-for-loongarch64.patch
|
||||
|
||||
Patch0001: 0001-fix-CVE-2024-28180.patch
|
||||
Patch0002: 0002-fix-CVE-2023-3978.patch
|
||||
|
||||
BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
|
||||
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
|
||||
@ -116,6 +117,7 @@ sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
|
||||
%patch0001 -p1
|
||||
# untar dnsname
|
||||
tar zxf %{SOURCE1}
|
||||
%patch0002 -p1
|
||||
# untar %%{name}-gvproxy
|
||||
tar zxf %{SOURCE2}
|
||||
# untar go-md2man
|
||||
@ -293,6 +295,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
|
||||
%{_bindir}/%{name}sh
|
||||
|
||||
%changelog
|
||||
* Sun Apr 28 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-6
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2023-3978
|
||||
|
||||
* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-5
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user