On Wed, May 24, 2023 at 3:59 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org <[email protected]> wrote: > > Hi Sakib, > > Its good to have full URL link inside .patch file as below: > CVE: CVE-2023-24540 > Upstream-Status: Backport > [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] > > > Its good have some information on CVE specifications in commit message: > > go: Fix CVE-2023-24540 > > References: > https://nvd.nist.gov/vuln/detail/CVE-2023-24540 > > Upstream patch: > https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 > (go 1.19.9)
I've taken the patch and made the above referenced changes, so no need for a v2. Thanks for the patch and the review! Steve > -----Original Message----- > Backport from go-1.19: > html/template: handle all JS whitespace characters > > Signed-off-by: Sakib Sajal <[email protected]> > --- > meta/recipes-devtools/go/go-1.17.13.inc | 1 + > .../go/go-1.19/CVE-2023-24540.patch | 93 +++++++++++++++++++ > 2 files changed, 94 insertions(+) > create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch > > diff --git a/meta/recipes-devtools/go/go-1.17.13.inc > b/meta/recipes-devtools/go/go-1.17.13.inc > index d7cb47ebf4..e5e9d841c4 100644 > --- a/meta/recipes-devtools/go/go-1.17.13.inc > +++ b/meta/recipes-devtools/go/go-1.17.13.inc > @@ -30,6 +30,7 @@ SRC_URI += "\ > file://CVE-2023-24537.patch \ > file://CVE-2023-24534.patch \ > file://CVE-2023-24538.patch \ > + file://CVE-2023-24540.patch \ > " > SRC_URI[main.sha256sum] = > "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd" > > diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch > b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch > new file mode 100644 > index 0000000000..4ed9ba7096 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-24540.patch > @@ -0,0 +1,93 @@ > +From 2305cdb2aa5ac8e9960bd64e548a119c7dd87530 Mon Sep 17 00:00:00 2001 > +From: Roland Shoemaker <[email protected]> > +Date: Tue, 11 Apr 2023 16:27:43 +0100 > +Subject: [PATCH] html/template: handle all JS whitespace characters > + > +Rather than just a small set. Character class as defined by \s [0]. > + > +Thanks to Juho Nurminen of Mattermost for reporting this. > + > +For #59721 > +Fixes #59813 > +Fixes CVE-2023-24540 > + > +[0] > +https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_E > +xpressions/Character_Classes > + > +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba > +Reviewed-on: > +https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 > +Reviewed-by: Julie Qiu <[email protected]> > +Run-TryBot: Roland Shoemaker <[email protected]> > +Reviewed-by: Damien Neil <[email protected]> > +Reviewed-on: > +https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 > +Run-TryBot: Damien Neil <[email protected]> > +Reviewed-by: Roland Shoemaker <[email protected]> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 > +Reviewed-by: Dmitri Shuralyov <[email protected]> > +Reviewed-by: Carlos Amedee <[email protected]> > +TryBot-Bypass: Carlos Amedee <[email protected]> > +Run-TryBot: Carlos Amedee <[email protected]> > + > +CVE: CVE-2023-24540 > +Upstream-Status: Backport [ce7bd33345416e6d8cac901792060591cafc2797] > + > +Signed-off-by: Sakib Sajal <[email protected]> > +--- > + src/html/template/js.go | 8 +++++++- > + src/html/template/js_test.go | 11 +++++++---- > + 2 files changed, 14 insertions(+), 5 deletions(-) > + > +diff --git a/src/html/template/js.go b/src/html/template/js.go index > +b888eaf..35994f0 100644 > +--- a/src/html/template/js.go > ++++ b/src/html/template/js.go > +@@ -13,6 +13,11 @@ import ( > + "unicode/utf8" > + ) > + > ++// jsWhitespace contains all of the JS whitespace characters, as > ++defined // by the \s character class. > ++// See > https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. > ++const jsWhitespace = > "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" > ++ > + // nextJSCtx returns the context that determines whether a slash after > +the // given run of tokens starts a regular expression instead of a > +division // operator: / or /=. > +@@ -26,7 +31,8 @@ import ( > + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: > + // > +https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html > + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { > +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") > ++ // Trim all JS whitespace characters > ++ s = bytes.TrimRight(s, jsWhitespace) > + if len(s) == 0 { > + return preceding > + } > +diff --git a/src/html/template/js_test.go > +b/src/html/template/js_test.go index d7ee47b..8f5d76d 100644 > +--- a/src/html/template/js_test.go > ++++ b/src/html/template/js_test.go > +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { > + {jsCtxDivOp, "0"}, > + // Dots that are part of a number are div preceders. > + {jsCtxDivOp, "0."}, > ++ // Some JS interpreters treat NBSP as a normal space, so > ++ // we must too in order to properly escape things. > ++ {jsCtxRegexp, "=\u00A0"}, > + } > + > + for _, test := range tests { > +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { > +- t.Errorf("want %s got %q", test.jsCtx, test.s) > ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != > test.jsCtx { > ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, > ctx) > + } > +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { > +- t.Errorf("want %s got %q", test.jsCtx, test.s) > ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != > test.jsCtx { > ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, > ctx) > + } > + } > + > +-- > +2.40.0 > + > -- > 2.40.0 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181682): https://lists.openembedded.org/g/openembedded-core/message/181682 Mute This Topic: https://lists.openembedded.org/mt/99103273/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
