-
Notifications
You must be signed in to change notification settings - Fork 564
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Patch gh for CVE-2024-45338 - branch main (#11908)
Co-authored-by: Sumedh Alok Sharma <[email protected]>
- Loading branch information
1 parent
28d0c3e
commit 42d7e61
Showing
2 changed files
with
86 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
| Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
|
||
| Instead of using strings.ToLower and == to check case insensitive | ||
| equality, just use strings.EqualFold, even when the strings are only | ||
| ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
| which can be a somewhat expensive operation, even if we're only | ||
| attempting to compare equality with five characters. | ||
|
|
||
| Thanks to Guido Vranken for reporting this issue. | ||
|
|
||
| Fixes golang/go#70906 | ||
| Fixes CVE-2024-45338 | ||
|
|
||
| Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
| vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
| vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
| 3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
| index c484e5a..bca3ae9 100644 | ||
| --- a/vendor/golang.org/x/net/html/doctype.go | ||
| +++ b/vendor/golang.org/x/net/html/doctype.go | ||
| @@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
| } | ||
| } | ||
| if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
| - strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
| + strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
| quirks = true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
| index 9da9e9d..e8515d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/foreign.go | ||
| +++ b/vendor/golang.org/x/net/html/foreign.go | ||
| @@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
| if n.Data == "annotation-xml" { | ||
| for _, a := range n.Attr { | ||
| if a.Key == "encoding" { | ||
| - val := strings.ToLower(a.Val) | ||
| - if val == "text/html" || val == "application/xhtml+xml" { | ||
| + if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
| return true | ||
| } | ||
| } | ||
| diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
| index 038941d..cb012d8 100644 | ||
| --- a/vendor/golang.org/x/net/html/parse.go | ||
| +++ b/vendor/golang.org/x/net/html/parse.go | ||
| @@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
| if p.tok.DataAtom == a.Input { | ||
| for _, t := range p.tok.Attr { | ||
| if t.Key == "type" { | ||
| - if strings.ToLower(t.Val) == "hidden" { | ||
| + if strings.EqualFold(t.Val, "hidden") { | ||
| // Skip setting framesetOK = false | ||
| return true | ||
| } | ||
| @@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
| return inHeadIM(p) | ||
| case a.Input: | ||
| for _, t := range p.tok.Attr { | ||
| - if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
| + if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
| p.addElement() | ||
| p.oe.pop() | ||
| return true | ||
| -- | ||
| 2.25.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: GitHub official command line tool | ||
| Name: gh | ||
| Version: 2.13.0 | ||
| Release: 23%{?dist} | ||
| Release: 24%{?dist} | ||
| License: MIT | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Mariner | ||
|
|
@@ -32,6 +32,7 @@ Patch0: fix-relative-time-search-tests.patch | |
| Patch1: CVE-2021-43565.patch | ||
| Patch2: CVE-2022-32149.patch | ||
| Patch3: CVE-2024-54132.patch | ||
| Patch4: CVE-2024-45338.patch | ||
|
|
||
| BuildRequires: golang | ||
| BuildRequires: git | ||
|
|
@@ -44,11 +45,8 @@ GitHub official command line tool. | |
|
|
||
| %prep | ||
| %setup -q -n cli-%{version} | ||
| %patch0 -p1 | ||
| tar --no-same-owner -xf %{SOURCE1} | ||
| %patch1 -p1 | ||
| %patch2 -p1 | ||
| %patch3 -p1 | ||
| %autopatch -p1 | ||
|
|
||
| %build | ||
| export GOPATH=%{our_gopath} | ||
|
|
@@ -79,6 +77,9 @@ make test | |
| %{_datadir}/zsh/site-functions/_gh | ||
|
|
||
| %changelog | ||
| * Fri Jan 03 2025 Sumedh Sharma <[email protected]> - 2.13.0-24 | ||
| - Add patch for CVE-2024-45338. | ||
|
|
||
| * Fri Dec 13 2024 Sandeep Karambelkar <[email protected]> - 2.13.0-23 | ||
| - Patch CVE-2024-54132 | ||
|
|
||
|
|
||