Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2024-45338 in multiple packages #11767

Open
wants to merge 7 commits into
base: fasttrack/3.0
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
From 16acb322637a8ee779fa757345d7aef0ac16e69e Mon Sep 17 00:00:00 2001
From: Rohit Rawat <[email protected]>
Date: Thu, 2 Jan 2025 10:22:13 +0000
Subject: [PATCH] Fix CVE CVE-2024-45338 in
application-gateway-kubernetes-ingress

---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 291c919..d93fe03 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.39.4

Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Summary: Application Gateway Ingress Controller
Name: application-gateway-kubernetes-ingress
Version: 1.7.2
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -25,6 +25,7 @@ Source0: https://github.com/Azure/application-gateway-kubernetes-ingress/
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2022-21698.patch
Patch1: CVE-2022-41273.patch
Patch2: CVE-2024-45338.patch

BuildRequires: golang >= 1.13

Expand All @@ -39,6 +40,7 @@ rm -rf vendor
tar -xf %{SOURCE1} --no-same-owner
%patch 0 -p1 -d vendor/github.com/prometheus/client_golang
%patch 1 -p1 -d vendor/golang.org/x/net
%patch 2 -p1

%build
export VERSION=%{version}
Expand All @@ -57,6 +59,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
%{_bindir}/appgw-ingress

%changelog
* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.7.2-3
- Add patch for CVE-2024-45338

* Thu Jul 11 2024 Thien Trung Vuong <[email protected]> - 1.7.2-2
- Add patch for CVE-2022-21698, CVE-2022-41273
- Move vendored tarball extraction into %prep and %changed from %autosetup to %setup
Expand Down
63 changes: 63 additions & 0 deletions SPECS/cert-manager/CVE-2024-45338.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From bda2595d9dbcd7805b5b78466753b9d1849945d2 Mon Sep 17 00:00:00 2001
From: Rohit Rawat <[email protected]>
Date: Thu, 2 Jan 2025 10:22:12 +0000
Subject: [PATCH] Fix CVE CVE-2024-45338 in cert-manager

---
cmd/ctl/vendor/golang.org/x/net/html/doctype.go | 2 +-
cmd/ctl/vendor/golang.org/x/net/html/foreign.go | 3 +--
cmd/ctl/vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
+++ b/cmd/ctl/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
+++ b/cmd/ctl/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/cmd/ctl/vendor/golang.org/x/net/html/parse.go b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/cmd/ctl/vendor/golang.org/x/net/html/parse.go
+++ b/cmd/ctl/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.39.4

7 changes: 6 additions & 1 deletion SPECS/cert-manager/cert-manager.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Automatically provision and manage TLS certificates in Kubernetes
Name: cert-manager
Version: 1.12.13
Release: 1%{?dist}
Release: 2%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -13,6 +13,7 @@ Source0: https://github.com/jetstack/%{name}/archive/refs/tags/v%{version
# 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
# 2. <repo-root>/SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version}
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2024-45338.patch
BuildRequires: golang
Requires: %{name}-acmesolver
Requires: %{name}-cainjector
Expand Down Expand Up @@ -58,6 +59,7 @@ Webhook component providing API validation, mutation and conversion functionalit

%prep
%setup -q -a 1
%autopatch -p1
xordux marked this conversation as resolved.
Show resolved Hide resolved

%build

Expand Down Expand Up @@ -103,6 +105,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
%{_bindir}/webhook

%changelog
* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.12.13-2
- Add patch for CVE-2024-45338

* Mon Sep 16 2024 Jiri Appl <[email protected]> - 1.12.13-1
- Upgrade to 1.12.13 which carries helm 3.14.2 to fix CVE-2024-26147 and CVE-2024-25620

Expand Down
63 changes: 63 additions & 0 deletions SPECS/cf-cli/CVE-2024-45338.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From 0d84094c36cc3a80da129773b966a3d5be4032ac Mon Sep 17 00:00:00 2001
From: Rohit Rawat <[email protected]>
Date: Thu, 2 Jan 2025 10:22:13 +0000
Subject: [PATCH] Fix CVE CVE-2024-45338 in cf-cli

---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.39.4

10 changes: 6 additions & 4 deletions SPECS/cf-cli/cf-cli.spec
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Summary: The official command line client for Cloud Foundry.
Name: cf-cli
# Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA
Version: 8.7.3
Release: 4%{?dist}
Release: 5%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -34,6 +34,7 @@ Source1: cli-%{version}-vendor.tar.gz
Patch0: CVE-2023-39325.patch
Patch1: CVE-2024-24786.patch
Patch2: CVE-2024-45337.patch
Patch3: CVE-2024-45338.patch

BuildRequires: golang >= 1.18.3
%global debug_package %{nil}
Expand All @@ -45,9 +46,7 @@ The official command line client for Cloud Foundry.
%prep
%setup -q -n cli-%{version}
tar --no-same-owner -xf %{SOURCE1}
%patch 0 -p1
%patch 1 -p1
%patch 2 -p1
%autopatch -p1

%build
export GOPATH=%{our_gopath}
Expand All @@ -69,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
%{_bindir}/cf

%changelog
* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 8.7.3-5
- Add patch for CVE-2024-45338

* Fri Dec 20 2024 Aurelien Bombo <[email protected]> - 8.7.3-4
- Add patch for CVE-2024-45337

Expand Down
63 changes: 63 additions & 0 deletions SPECS/containerized-data-importer/CVE-2024-45338.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
From 0c0cb82a7671b2aa12c5136ab9368245e3803985 Mon Sep 17 00:00:00 2001
From: Rohit Rawat <[email protected]>
Date: Thu, 2 Jan 2025 10:22:13 +0000
Subject: [PATCH] Fix CVE CVE-2024-45338 in containerized-data-importer

---
.../vendor/golang.org/x/net/html/doctype.go | 2 +-
.../vendor/golang.org/x/net/html/foreign.go | 3 +--
.../vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.39.4

Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
Summary: Container native virtualization
Name: containerized-data-importer
Version: 1.57.0
Release: 6%{?dist}
Release: 7%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -28,6 +28,7 @@ Source0: https://github.com/kubevirt/containerized-data-importer/archive/
Patch0: CVE-2024-3727.patch
Patch1: CVE-2022-2879.patch
Patch2: CVE-2024-24786.patch
Patch3: CVE-2024-45338.patch
BuildRequires: golang
BuildRequires: golang-packaging
BuildRequires: libnbd-devel
Expand Down Expand Up @@ -222,6 +223,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
%{_datadir}/cdi/manifests

%changelog
* Tue Dec 31 2024 Rohit Rawat <[email protected]> - 1.57.0-7
- Add patch for CVE-2024-45338

* Mon Nov 25 2024 Bala <[email protected]> - 1.57.0-6
- Fix CVE-2024-24786

Expand Down
Loading
Loading