This patch will not apply. Based on a quick inspection of your patch I suspect you are using an older version of dunfell. Please send a v2 based on the current dunfell head.
Thanks! Steve On Sun, Jun 4, 2023 at 5:25 PM Ashish Sharma <asha...@mvista.com> wrote: > > Fixing of improper sanitization of CSS values in html/template > > Signed-off-by: Ashish Sharma <asha...@mvista.com> > --- > meta/recipes-devtools/go/go-1.14.inc | 1 + > .../go/go-1.14/CVE-2023-24539.patch | 60 +++++++++++++++++++ > 2 files changed, 61 insertions(+) > create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > > diff --git a/meta/recipes-devtools/go/go-1.14.inc > b/meta/recipes-devtools/go/go-1.14.inc > index f7482f8458..228becdb23 100644 > --- a/meta/recipes-devtools/go/go-1.14.inc > +++ b/meta/recipes-devtools/go/go-1.14.inc > @@ -55,6 +55,7 @@ SRC_URI += "\ > file://CVE-2022-41715.patch \ > file://CVE-2022-41717.patch \ > file://CVE-2022-1962.patch \ > + file://CVE-2023-24539.patch \ > " > > SRC_URI_append_libc-musl = " > file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > new file mode 100644 > index 0000000000..1b7d849c23 > --- /dev/null > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch > @@ -0,0 +1,60 @@ > +From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 > +From: Roland Shoemaker <bracew...@google.com> > +Date: Thu, 13 Apr 2023 15:40:44 -0700 > +Subject: [PATCH] html/template: disallow angle brackets in CSS values > + > +Angle brackets should not appear in CSS contexts, as they may affect > +token boundaries (such as closing a <style> tag, resulting in > +injection). Instead emit filterFailsafe, matching the behavior for other > +dangerous characters. > + > +Thanks to Juho Nurminen of Mattermost for reporting this issue. > + > +Fixes #59720 > +Fixes CVE-2023-24539 > + > +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 > +Reviewed-on: > https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 > +Reviewed-by: Julie Qiu <julie...@google.com> > +Run-TryBot: Roland Shoemaker <bracew...@google.com> > +Reviewed-by: Damien Neil <dn...@google.com> > +Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 > +Reviewed-by: Dmitri Shuralyov <dmits...@golang.org> > +Reviewed-by: Dmitri Shuralyov <dmits...@google.com> > +Run-TryBot: Carlos Amedee <car...@golang.org> > +TryBot-Result: Gopher Robot <go...@golang.org> > + > +Upstream-Status: Backport > [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] > +CVE: CVE-2023-24539 > +Signed-off-by: Ashish Sharma <asha...@mvista.com> > +--- > + src/html/template/css.go | 2 +- > + src/html/template/css_test.go | 2 ++ > + 2 files changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/src/html/template/css.go b/src/html/template/css.go > +index 890a0c6b227fe..f650d8b3e843a 100644 > +--- a/src/html/template/css.go > ++++ b/src/html/template/css.go > +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { > + // inside a string that might embed JavaScript source. > + for i, c := range b { > + switch c { > +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', > '`', '{', '}': > ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', > '`', '{', '}', '<', '>': > + return filterFailsafe > + case '-': > + // Disallow <!-- or -->. > +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go > +index a735638b0314f..2b76256a766e9 100644 > +--- a/src/html/template/css_test.go > ++++ b/src/html/template/css_test.go > +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { > + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, > + {`-expre\0000073sion`, "-expre\x073sion"}, > + {`@import url evil.css`, "ZgotmplZ"}, > ++ {"<", "ZgotmplZ"}, > ++ {">", "ZgotmplZ"}, > + } > + for _, test := range tests { > + got := cssValueFilter(test.css) > -- > 2.17.1 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182386): https://lists.openembedded.org/g/openembedded-core/message/182386 Mute This Topic: https://lists.openembedded.org/mt/99333673/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
