From 336c9ee6ac148f2f53f571264c83ca7286ad9ded Mon Sep 17 00:00:00 2001 From: Sumedh Alok Sharma Date: Thu, 9 Jan 2025 01:30:31 +0530 Subject: [PATCH] Patch influxdb for CVE-2024-45338 (#11766) Co-authored-by: jslobodzian (cherry picked from commit bd7017f898c82c4460adcd99d14dd38118f6850d) --- SPECS/influxdb/CVE-2024-45338.patch | 80 +++++++++++++++++++++++++++++ SPECS/influxdb/influxdb.spec | 6 ++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 SPECS/influxdb/CVE-2024-45338.patch diff --git a/SPECS/influxdb/CVE-2024-45338.patch b/SPECS/influxdb/CVE-2024-45338.patch new file mode 100644 index 00000000000..c2fb46031c5 --- /dev/null +++ b/SPECS/influxdb/CVE-2024-45338.patch @@ -0,0 +1,80 @@ +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 04 Dec 2024 09:35:55 -0800 +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 038941d..cb012d8 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.25.1 + diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index 82a3858e772..1d0574464f2 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.6.1 -Release: 18%{?dist} +Release: 19%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -58,6 +58,7 @@ Source6: influxdb-user.conf Patch0: CVE-2024-6104.patch Patch1: CVE-2022-32149.patch Patch2: CVE-2024-24786.patch +Patch3: CVE-2024-45338.patch BuildRequires: clang BuildRequires: golang <= 1.18.8 BuildRequires: kernel-headers @@ -147,6 +148,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +* Fri Jan 03 2025 Sumedh Sharma - 2.6.1-19 +- Add patch for CVE-2024-45338 + * Mon Dec 09 2024 Kavya Sree Kaitepalli - 2.6.1-18 - Patch for CVE-2024-24786