diff --git a/SPECS/vitess/CVE-2024-45338.patch b/SPECS/vitess/CVE-2024-45338.patch new file mode 100644 index 00000000000..05c1c69ffc7 --- /dev/null +++ b/SPECS/vitess/CVE-2024-45338.patch @@ -0,0 +1,80 @@ +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 04 Dec 2024 09:35:55 -0800 +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.25.1 + diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec index e4dbf783e91..cc763c363b5 100644 --- a/SPECS/vitess/vitess.spec +++ b/SPECS/vitess/vitess.spec @@ -3,7 +3,7 @@ Name: vitess Version: 17.0.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Database clustering system for horizontal scaling of MySQL # Upstream license specification: MIT and Apache-2.0 License: MIT and ASL 2.0 @@ -26,6 +26,7 @@ Source0: %{name}-%{version}.tar.gz # -cf %%{name}-%%{version}-vendor.tar.gz vendor # Source1: %{name}-%{version}-vendor.tar.gz +Patch0: CVE-2024-45338.patch BuildRequires: golang %description @@ -103,6 +104,9 @@ go check -t go/cmd \ %{_bindir}/* %changelog +* Thu Jan 02 2025 Sumedh Sharma - 17.0.7-3 +- Add patch for CVE-2024-45338. + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 17.0.7-2 - Bump release to rebuild with go 1.22.7