-
Notifications
You must be signed in to change notification settings - Fork 564
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch prometheus-adapter for CVE-2024-45338 (#11751)
Co-authored-by: jslobodzian <[email protected]> (cherry picked from commit deccc30)
- Loading branch information
1 parent
ef525f0
commit 5d5046a
Showing
2 changed files
with
85 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 | ||
From: Roland Shoemaker <[email protected]> | ||
Date: Wed, 04 Dec 2024 09:35:55 -0800 | ||
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves | ||
|
||
Instead of using strings.ToLower and == to check case insensitive | ||
equality, just use strings.EqualFold, even when the strings are only | ||
ASCII. This prevents us unnecessarily lowering extremely long strings, | ||
which can be a somewhat expensive operation, even if we're only | ||
attempting to compare equality with five characters. | ||
|
||
Thanks to Guido Vranken for reporting this issue. | ||
|
||
Fixes golang/go#70906 | ||
Fixes CVE-2024-45338 | ||
|
||
Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 | ||
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 | ||
LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
Auto-Submit: Gopher Robot <[email protected]> | ||
Reviewed-by: Roland Shoemaker <[email protected]> | ||
Reviewed-by: Tatiana Bradley <[email protected]> | ||
--- | ||
vendor/golang.org/x/net/html/doctype.go | 2 +- | ||
vendor/golang.org/x/net/html/foreign.go | 3 +-- | ||
vendor/golang.org/x/net/html/parse.go | 4 ++-- | ||
3 files changed, 4 insertions(+), 5 deletions(-) | ||
|
||
diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go | ||
index c484e5a..bca3ae9 100644 | ||
--- a/vendor/golang.org/x/net/html/doctype.go | ||
+++ b/vendor/golang.org/x/net/html/doctype.go | ||
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { | ||
} | ||
} | ||
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && | ||
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { | ||
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { | ||
quirks = true | ||
} | ||
} | ||
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go | ||
index 9da9e9d..e8515d8 100644 | ||
--- a/vendor/golang.org/x/net/html/foreign.go | ||
+++ b/vendor/golang.org/x/net/html/foreign.go | ||
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { | ||
if n.Data == "annotation-xml" { | ||
for _, a := range n.Attr { | ||
if a.Key == "encoding" { | ||
- val := strings.ToLower(a.Val) | ||
- if val == "text/html" || val == "application/xhtml+xml" { | ||
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { | ||
return true | ||
} | ||
} | ||
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go | ||
index 038941d..cb012d8 100644 | ||
--- a/vendor/golang.org/x/net/html/parse.go | ||
+++ b/vendor/golang.org/x/net/html/parse.go | ||
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { | ||
if p.tok.DataAtom == a.Input { | ||
for _, t := range p.tok.Attr { | ||
if t.Key == "type" { | ||
- if strings.ToLower(t.Val) == "hidden" { | ||
+ if strings.EqualFold(t.Val, "hidden") { | ||
// Skip setting framesetOK = false | ||
return true | ||
} | ||
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { | ||
return inHeadIM(p) | ||
case a.Input: | ||
for _, t := range p.tok.Attr { | ||
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { | ||
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { | ||
p.addElement() | ||
p.oe.pop() | ||
return true | ||
-- | ||
2.25.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,15 @@ | ||
Summary: Kubernetes Custom, Resource, and External Metric APIs implemented to work with Prometheus. | ||
Name: prometheus-adapter | ||
Version: 0.10.0 | ||
Release: 15%{?dist} | ||
Release: 16%{?dist} | ||
License: Apache-2.0 | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
URL: https://github.com/kubernetes-sigs/prometheus-adapter | ||
Source0: https://github.com/kubernetes-sigs/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz | ||
Patch0: CVE-2024-24786.patch | ||
Patch1: CVE-2022-32149.patch | ||
Patch2: CVE-2024-45338.patch | ||
BuildRequires: golang | ||
|
||
%description | ||
|
@@ -43,6 +44,9 @@ make test | |
%doc README.md RELEASE.md | ||
|
||
%changelog | ||
* Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 0.10.0-16 | ||
- Add patch for CVE-2024-45338. | ||
|
||
* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 0.10.0-15 | ||
- Bump release to rebuild with go 1.22.7 | ||
|
||
|