Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch libcontainers-common for CVE-2024-45338 #11762

Open
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/libcontainers-common/CVE-2024-45338.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index f91466f..86995f9 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1013,7 +1013,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1441,7 +1441,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

8 changes: 7 additions & 1 deletion SPECS/libcontainers-common/libcontainers-common.spec
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
Summary: Configuration files common to github.com/containers
Name: libcontainers-common
Version: 20210626
Release: 7%{?dist}
Release: 8%{?dist}
License: ASL 2.0 AND GPLv3
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -54,6 +54,7 @@ Patch2: CVE-2021-43565.patch
Patch3: CVE-2022-32149.patch
Patch4: CVE-2024-3727.patch
Patch5: podman-CVE-2024-3727.patch
Patch6: CVE-2024-45338.patch
BuildRequires: go-go-md2man
Requires(post): grep
Requires(post): util-linux
Expand All @@ -75,11 +76,13 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo.
%patch 5 -p1
%patch 1 -p1
%patch 3 -p1
%patch 6 -p1

%setup -q -T -D -b 9 -n common-%{commonver}
%patch 0 -p1
%patch 3 -p1
%patch 4 -p1
%patch 6 -p1

# copy the LICENSE file in the build root
%patch 2 -p1 -d ../podman-%{podmanver}
Expand Down Expand Up @@ -177,6 +180,9 @@ fi
%license LICENSE

%changelog
* Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 20210626-8
- Add patch for CVE-2024-45338

* Thu Sep 12 2024 Sudipta Pandit <[email protected]> - 20210626-7
- Backport CVE-2024-3727 for all sources from upstream

Expand Down
Loading