Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch influxdb for CVE-2024-45338 #11766

Open
wants to merge 1 commit into
base: fasttrack/2.0
Choose a base branch
from
Open

Patch influxdb for CVE-2024-45338 #11766

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/influxdb/CVE-2024-45338.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 038941d..cb012d8 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6 changes: 5 additions & 1 deletion SPECS/influxdb/influxdb.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
Summary: Scalable datastore for metrics, events, and real-time analytics
Name: influxdb
Version: 2.6.1
Release: 18%{?dist}
Release: 19%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -58,6 +58,7 @@ Source6: influxdb-user.conf
Patch0: CVE-2024-6104.patch
Patch1: CVE-2022-32149.patch
Patch2: CVE-2024-24786.patch
Patch3: CVE-2024-45338.patch
BuildRequires: clang
BuildRequires: golang <= 1.18.8
BuildRequires: kernel-headers
Expand Down Expand Up @@ -147,6 +148,9 @@ go test ./...
%{_tmpfilesdir}/influxdb.conf

%changelog
* Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 2.6.1-19
- Add patch for CVE-2024-45338

* Mon Dec 09 2024 Kavya Sree Kaitepalli <[email protected]> - 2.6.1-18
- Patch for CVE-2024-24786

Expand Down
Loading