Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch sriov-network-device-plugin for CVE-2024-45338 #11750

Merged
merged 3 commits into from
Jan 10, 2025
+85 −1
Merged

Patch sriov-network-device-plugin for CVE-2024-45338 #11750

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
67e10bc
sriov-network-device-plugin: Add patch for CVE-2024-45338
Sumynwa Jan 2, 2025
5d00214
Merge branch 'fasttrack/2.0' into sumsharma/2-0_sriov-network-device-…
jslobodzian Jan 9, 2025
93f3c85
Merge branch 'fasttrack/2.0' into sumsharma/2-0_sriov-network-device-…
jslobodzian Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions SPECS/sriov-network-device-plugin/CVE-2024-45338.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <[email protected]>
Date: Wed, 04 Dec 2024 09:35:55 -0800
Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves

Instead of using strings.ToLower and == to check case insensitive
equality, just use strings.EqualFold, even when the strings are only
ASCII. This prevents us unnecessarily lowering extremely long strings,
which can be a somewhat expensive operation, even if we're only
attempting to compare equality with five characters.

Thanks to Guido Vranken for reporting this issue.

Fixes golang/go#70906
Fixes CVE-2024-45338

Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Gopher Robot <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
---
vendor/golang.org/x/net/html/doctype.go | 2 +-
vendor/golang.org/x/net/html/foreign.go | 3 +--
vendor/golang.org/x/net/html/parse.go | 4 ++--
3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
index c484e5a..bca3ae9 100644
--- a/vendor/golang.org/x/net/html/doctype.go
+++ b/vendor/golang.org/x/net/html/doctype.go
@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
}
}
if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
quirks = true
}
}
diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
index 9da9e9d..e8515d8 100644
--- a/vendor/golang.org/x/net/html/foreign.go
+++ b/vendor/golang.org/x/net/html/foreign.go
@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
if n.Data == "annotation-xml" {
for _, a := range n.Attr {
if a.Key == "encoding" {
- val := strings.ToLower(a.Val)
- if val == "text/html" || val == "application/xhtml+xml" {
+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
return true
}
}
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 46a89ed..5b8374b 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
if p.tok.DataAtom == a.Input {
for _, t := range p.tok.Attr {
if t.Key == "type" {
- if strings.ToLower(t.Val) == "hidden" {
+ if strings.EqualFold(t.Val, "hidden") {
// Skip setting framesetOK = false
return true
}
@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
return inHeadIM(p)
case a.Input:
for _, t := range p.tok.Attr {
- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
p.addElement()
p.oe.pop()
return true
--
2.25.1

6 changes: 5 additions & 1 deletion SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: Plugin for discovering and advertising networking resources
Name: sriov-network-device-plugin
Version: 3.6.2
Release: 6%{?dist}
Release: 7%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://github.com/k8snetworkplumbingwg/sriov-network-device-plugin
Source0: https://github.com/k8snetworkplumbingwg/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: CVE-2023-45288.patch
Patch1: CVE-2024-24786.patch
Patch2: CVE-2024-45338.patch
BuildRequires: golang
Requires: gawk
Requires: hwdata
Expand Down Expand Up @@ -36,6 +37,9 @@ install -D -m0755 images/ddptool-1.0.1.12.tar.gz %{buildroot}%{_datadir}/%{name}
%{_datadir}/%{name}/ddptool-1.0.1.12.tar.gz

%changelog
* Thu Jan 02 2025 Sumedh Sharma <[email protected]> - 3.6.2-7
- Add patch for CVE-2024-45338.

* Thu Nov 11 2024 Vince Perri <[email protected]> - 3.6.2-6
- Patch CVE-2024-24786 (vendored google.golang.org/protobuf)

Expand Down
Loading