Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch vitess for CVE-2024-45338 #11747

Open
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
Open

Patch vitess for CVE-2024-45338 #11747

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/vitess/CVE-2024-45338.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6 changes: 5 additions & 1 deletion SPECS/vitess/vitess.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

Name: vitess
Version: 17.0.7
Release: 2%{?dist}
Release: 3%{?dist}
Summary: Database clustering system for horizontal scaling of MySQL
# Upstream license specification: MIT and Apache-2.0
License: MIT and ASL 2.0
Expand All @@ -26,6 +26,7 @@ Source0: %{name}-%{version}.tar.gz
# -cf %%{name}-%%{version}-vendor.tar.gz vendor
#
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2024-45338.patch
BuildRequires: golang

%description
Expand Down Expand Up @@ -103,6 +104,9 @@ go check -t go/cmd \
%{_bindir}/*

%changelog
* Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 17.0.7-3
- Add patch for CVE-2024-45338.

* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 17.0.7-2
- Bump release to rebuild with go 1.22.7

Expand Down
Loading