diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 01:50:09 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 01:56:06 +0300 |
commit | c2858f16b31b065f92c42c838cf21d3592bc06e7 (patch) | |
tree | 58ffae2ee30976a58733f0ad4a3e6950b4258987 /poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch | |
parent | 841583d6ba5918b60868b708ff0b89cf0409efa7 (diff) | |
download | openbmc-c2858f16b31b065f92c42c838cf21d3592bc06e7.tar.xz |
subtree updatesdunfell
poky: a631bfc3a3..733d919af4:
Alex Kiernan (2):
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
openssh: Move sshdgenkeys.service to sshd.socket
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Ashish Sharma (2):
connman: Fix CVE-2023-28488 DoS in client.c
golang: Fix CVE-2023-24539
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.238
linux-yocto/5.4: update to v5.4.240
linux-yocto/5.4: update to v5.4.241
linux-yocto/5.4: update to v5.4.242
linux-yocto/5.4: update to v5.4.243
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Hitendra Prajapati (2):
git: fix CVE-2023-29007
git: fix CVE-2023-25652
Khem Raj (1):
perf: Depend on native setuptools3
Marek Vasut (1):
cpio: Fix wrong CRC with ASCII CRC for large files
Martin Jansa (1):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
Nikhil R (1):
ffmpeg: Fix CVE-2022-48434
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Randolph Sapp (1):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Siddharth (1):
curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled
Steve Sakoman (1):
selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set
Vijay Anusuri (3):
ghostscript: Fix CVE-2023-28879
xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
go: Security fix CVE-2023-24540
Vivek Kumbhar (1):
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Yoann Congal (1):
linux-yocto: Exclude 294 CVEs already fixed upstream
meta-openembedded: 7007d14c25..116bfe8d5e:
Alex Yao (1):
lcov: Fix Perl Path
Hitendra Prajapati (1):
multipath-tools: CVE-2022-41973 Symlink attack multipathd operates insecurely
Hugo SIMELIERE (3):
openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlist
openvpn: upgrade 2.4.9 -> 2.4.12
libmodbus: Fix CVE-2022-0367
Jack Mitchell (2):
nss: backport fix for native build failure due to implicit casting with gcc13
nss: backport fix for native build failure due to dangling pointer with gcc13
Narpat Mali (1):
nodejs: make 14.18.1 available but not default
Valeria Petrov (1):
apache2: upgrade 2.4.56 -> 2.4.57
Viktor Rosendahl (1):
jsoncpp: Fix broken handling of escape characters
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I8260e0168ea1ddec7ee03555e4f5653155e0ab45
Diffstat (limited to 'poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch')
-rw-r--r-- | poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch | 196 |
1 files changed, 196 insertions, 0 deletions
diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch new file mode 100644 index 0000000000..5036f2890b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch @@ -0,0 +1,196 @@ +From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 +From: empijei <robclap8@gmail.com> +Date: Fri, 27 Mar 2020 19:27:55 +0100 +Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes + for JSON compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The existing implementation is not compatible with JSON +escape as it uses hex escaping. +Unicode escape, instead, is valid for both JSON and JS. +This fix avoids creating a separate escaping context for +scripts of type "application/ld+json" and it is more +future-proof in case more JSON+JS contexts get added +to the platform (e.g. import maps). + +Fixes #33671 +Fixes #37634 + +Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543 +Reviewed-on: https://go-review.googlesource.com/c/go/+/226097 +Reviewed-by: Carl Johnson <me@carlmjohnson.net> +Reviewed-by: Daniel Martà <mvdan@mvdan.cc> +Run-TryBot: Daniel Martà <mvdan@mvdan.cc> +TryBot-Result: Gobot Gobot <gobot@golang.org> + +Dependency Patch #2 + +Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- + src/text/template/funcs.go | 8 +++--- + 2 files changed, 46 insertions(+), 32 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 0e91458..ea9c183 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string { + } + // TODO: detect cycles before calling Marshal which loops infinitely on + // cyclic data. This may be an unacceptable DoS risk. +- + b, err := json.Marshal(a) + if err != nil { + // Put a space before comment so that if it is flush against +@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string { + // TODO: maybe post-process output to prevent it from containing + // "<!--", "-->", "<![CDATA[", "]]>", or "</script" + // in case custom marshalers produce output containing those. +- +- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output. ++ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper ++ // supports ld+json content-type. + if len(b) == 0 { + // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should + // not cause the output `x=y/*z`. +@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string { + r, w = utf8.DecodeRuneInString(s[i:]) + var repl string + switch { ++ case int(r) < len(lowUnicodeReplacementTable): ++ repl = lowUnicodeReplacementTable[r] + case int(r) < len(replacementTable) && replacementTable[r] != "": + repl = replacementTable[r] + case r == '\u2028': +@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string { + return b.String() + } + ++var lowUnicodeReplacementTable = []string{ ++ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`, ++ '\a': `\u0007`, ++ '\b': `\u0008`, ++ '\t': `\t`, ++ '\n': `\n`, ++ '\v': `\u000b`, // "\v" == "v" on IE 6. ++ '\f': `\f`, ++ '\r': `\r`, ++ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`, ++ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`, ++ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`, ++} ++ + var jsStrReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '\\': `\\`, + } + + // jsStrNormReplacementTable is like jsStrReplacementTable but does not + // overencode existing escapes since this table has no entry for `\`. + var jsStrNormReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + } +- + var jsRegexpReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, ++ '"': `\u0022`, + '$': `\$`, +- '&': `\x26`, +- '\'': `\x27`, ++ '&': `\u0026`, ++ '\'': `\u0027`, + '(': `\(`, + ')': `\)`, + '*': `\*`, +- '+': `\x2b`, ++ '+': `\u002b`, + '-': `\-`, + '.': `\.`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '?': `\?`, + '[': `\[`, + '\\': `\\`, +diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go +index 46125bc..f3de9fb 100644 +--- a/src/text/template/funcs.go ++++ b/src/text/template/funcs.go +@@ -640,10 +640,10 @@ var ( + jsBackslash = []byte(`\\`) + jsApos = []byte(`\'`) + jsQuot = []byte(`\"`) +- jsLt = []byte(`\x3C`) +- jsGt = []byte(`\x3E`) +- jsAmp = []byte(`\x26`) +- jsEq = []byte(`\x3D`) ++ jsLt = []byte(`\u003C`) ++ jsGt = []byte(`\u003E`) ++ jsAmp = []byte(`\u0026`) ++ jsEq = []byte(`\u003D`) + ) + + // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. +-- +2.7.4 |