packages/podman
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-3978

Browse Source
This commit is contained in:
bwzhang 2024-04-28 10:51:03 +08:00
parent b2bd47b14a
commit f06ff907f1
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
0002-fix-CVE-2023-3978.patch Normal file
View File

@ -0,0 +1,85 @@
From 68b7c3ea0659978cf70ed592a73b2b5c2e0632e1 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Sun, 28 Apr 2024 10:46:26 +0800
Subject: [PATCH] fix CVE-2023-3978
html: only render content literally in the HTML namespace
Per the WHATWG HTML specification, section 13.3, only append the literal
content of a text node if we are in the HTML namespace.
Thanks to Mohammad Thoriq Aziz for reporting this issue.
Fixes golang/go#61615
Fixes CVE-2023-3978
Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
---
.../vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++---
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
index d34564f..5914410 100644
--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
+++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/net/html/render.go
@@ -191,9 +191,8 @@ func render1(w writer, n *Node) error {
}
}
- // Render any child nodes.
- switch n.Data {
- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
+ // Render any child nodes
+ if childTextNodesAreLiteral(n) {
for c := n.FirstChild; c != nil; c = c.NextSibling {
if c.Type == TextNode {
if _, err := w.WriteString(c.Data); err != nil {
@@ -210,7 +209,7 @@ func render1(w writer, n *Node) error {
// last element in the file, with no closing tag.
return plaintextAbort
}
- default:
+ } else {
for c := n.FirstChild; c != nil; c = c.NextSibling {
if err := render1(w, c); err != nil {
return err
@@ -228,6 +227,27 @@ func render1(w writer, n *Node) error {
return w.WriteByte('>')
}
+func childTextNodesAreLiteral(n *Node) bool {
+ // Per WHATWG HTML 13.3, if the parent of the current node is a style,
+ // script, xmp, iframe, noembed, noframes, or plaintext element, and the
+ // current node is a text node, append the value of the node's data
+ // literally. The specification is not explicit about it, but we only
+ // enforce this if we are in the HTML namespace (i.e. when the namespace is
+ // "").
+ // NOTE: we also always include noscript elements, although the
+ // specification states that they should only be rendered as such if
+ // scripting is enabled for the node (which is not something we track).
+ if n.Namespace != "" {
+ return false
+ }
+ switch n.Data {
+ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
+ return true
+ default:
+ return false
+ }
+}
+
// writeQuoted writes s to w surrounded by quotes. Normally it will use double
// quotes, but if s contains a double quote, it will use single quotes.
// It is used for writing the identifiers in a doctype declaration.
--
2.20.1

10
podman.spec
View File

@ -2,7 +2,7 @@
Name: podman Name: podman
Version: 4.9.4 Version: 4.9.4
Release: 5 Release: 6
Summary: A tool for managing OCI containers and pods. Summary: A tool for managing OCI containers and pods.
Epoch: 1 Epoch: 1
License: Apache-2.0 and MIT License: Apache-2.0 and MIT
@ -14,6 +14,7 @@ Source3: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.ta
Patch0: 0001-podman-4.9.4-add-support-for-loongarch64.patch Patch0: 0001-podman-4.9.4-add-support-for-loongarch64.patch
Patch0001: 0001-fix-CVE-2024-28180.patch Patch0001: 0001-fix-CVE-2024-28180.patch
Patch0002: 0002-fix-CVE-2023-3978.patch
BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
@ -116,6 +117,7 @@ sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
%patch0001 -p1 %patch0001 -p1
# untar dnsname # untar dnsname
tar zxf %{SOURCE1} tar zxf %{SOURCE1}
%patch0002 -p1
# untar %%{name}-gvproxy # untar %%{name}-gvproxy
tar zxf %{SOURCE2} tar zxf %{SOURCE2}
# untar go-md2man # untar go-md2man
@ -293,6 +295,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
%{_bindir}/%{name}sh %{_bindir}/%{name}sh
%changelog %changelog
* Sun Apr 28 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-6
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2023-3978
* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-5 * Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-5
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA