diff --git a/SPECS/containerized-data-importer/CVE-2023-3978.patch b/SPECS/containerized-data-importer/CVE-2023-3978.patch new file mode 100644 index 00000000000..6a3c1192b1e --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2023-3978.patch @@ -0,0 +1,66 @@ +From 5abbff46d6a70d0e31b41ce98cddaa08cc911e3f Mon Sep 17 00:00:00 2001 +From: Sudipta Pandit +Date: Wed, 5 Feb 2025 20:58:22 +0530 +Subject: [PATCH] Backport fix for CVE-2023-3978 + +Reference: https://go-review.googlesource.com/c/net/+/514896 +--- + vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go +index 497e132..1da09c8 100644 +--- a/vendor/golang.org/x/net/html/render.go ++++ b/vendor/golang.org/x/net/html/render.go +@@ -194,9 +194,8 @@ func render1(w writer, n *Node) error { + } + } + +- // Render any child nodes. +- switch n.Data { +- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": ++ // Render any child nodes ++ if childTextNodesAreLiteral(n) { + for c := n.FirstChild; c != nil; c = c.NextSibling { + if c.Type == TextNode { + if _, err := w.WriteString(c.Data); err != nil { +@@ -213,7 +212,7 @@ func render1(w writer, n *Node) error { + // last element in the file, with no closing tag. + return plaintextAbort + } +- default: ++ } else { + for c := n.FirstChild; c != nil; c = c.NextSibling { + if err := render1(w, c); err != nil { + return err +@@ -231,6 +230,27 @@ func render1(w writer, n *Node) error { + return w.WriteByte('>') + } + ++func childTextNodesAreLiteral(n *Node) bool { ++ // Per WHATWG HTML 13.3, if the parent of the current node is a style, ++ // script, xmp, iframe, noembed, noframes, or plaintext element, and the ++ // current node is a text node, append the value of the node's data ++ // literally. The specification is not explicit about it, but we only ++ // enforce this if we are in the HTML namespace (i.e. when the namespace is ++ // ""). ++ // NOTE: we also always include noscript elements, although the ++ // specification states that they should only be rendered as such if ++ // scripting is enabled for the node (which is not something we track). ++ if n.Namespace != "" { ++ return false ++ } ++ switch n.Data { ++ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": ++ return true ++ default: ++ return false ++ } ++} ++ + // writeQuoted writes s to w surrounded by quotes. Normally it will use double + // quotes, but if s contains a double quote, it will use single quotes. + // It is used for writing the identifiers in a doctype declaration. +-- +2.34.1 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index e74fe8b9bbd..352795b4a1d 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.57.0 -Release: 11%{?dist} +Release: 12%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -33,6 +33,7 @@ Patch4: CVE-2023-39325.patch Patch5: CVE-2023-44487.patch Patch6: CVE-2024-28180.patch Patch7: CVE-2023-45288.patch +Patch8: CVE-2023-3978.patch BuildRequires: golang BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -227,6 +228,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Sun Feb 23 2025 Sudipta Pandit - 1.57.0-12 +- Fix CVE-2023-3978 with a backported patch + * Fri Feb 14 2025 Kanishk Bansal - 1.57.0-11 - Address CVE-2023-45288