diff --git a/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch b/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch new file mode 100644 index 0000000..700ab80 --- /dev/null +++ b/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch @@ -0,0 +1,65 @@ +From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001 +From: David Lord +Date: Thu, 2 May 2024 09:14:00 -0700 +Subject: [PATCH] disallow invalid characters in keys to xmlattr filter + +--- + CHANGES.rst | 6 ++++++ + src/jinja2/filters.py | 22 +++++++++++++++++----- + tests/test_filters.py | 11 ++++++----- + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py +index 4cf3c11fb..acd11976e 100644 +--- a/kubevirt/jinja2/filters.py ++++ b/kubevirt/jinja2/filters.py +@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K + yield from value.items() + + +-_space_re = re.compile(r"\s", flags=re.ASCII) ++# Check for characters that would move the parser state from key to value. ++# https://html.spec.whatwg.org/#attribute-name-state ++_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) + + + @pass_eval_context +@@ -259,8 +261,14 @@ def do_xmlattr( + ) -> str: + """Create an SGML/XML attribute string based on the items in a dict. + +- If any key contains a space, this fails with a ``ValueError``. Values that +- are neither ``none`` nor ``undefined`` are automatically escaped. ++ **Values** that are neither ``none`` nor ``undefined`` are automatically ++ escaped, safely allowing untrusted user input. ++ ++ User input should not be used as **keys** to this filter. If any key ++ contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals ++ sign, this fails with a ``ValueError``. Regardless of this, user input ++ should never be used as keys to this filter, or must be separately validated ++ first. + + .. sourcecode:: html+jinja + +@@ -280,6 +288,10 @@ def do_xmlattr( + As you can see it automatically prepends a space in front of the item + if the filter returned something unless the second parameter is false. + ++ .. versionchanged:: 3.1.4 ++ Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign ++ are not allowed. ++ + .. versionchanged:: 3.1.3 + Keys with spaces are not allowed. + """ +@@ -289,8 +301,8 @@ def do_xmlattr( + if value is None or isinstance(value, Undefined): + continue + +- if _space_re.search(key) is not None: +- raise ValueError(f"Spaces are not allowed in attributes: '{key}'") ++ if _attr_key_re.search(key) is not None: ++ raise ValueError(f"Invalid character in attribute name: {key!r}") + + items.append(f'{escape(key)}="{escape(value)}"') + diff --git a/fence-agents.spec b/fence-agents.spec index 01a626f..cfe49a5 100644 --- a/fence-agents.spec +++ b/fence-agents.spec @@ -59,7 +59,7 @@ Name: fence-agents Summary: Set of unified programs capable of host isolation ("fencing") Version: 4.10.0 -Release: 71%{?alphatag:.%{alphatag}}%{?dist} +Release: 72%{?alphatag:.%{alphatag}}%{?dist} License: GPLv2+ and LGPLv2+ URL: https://github.com/ClusterLabs/fence-agents Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz @@ -256,6 +256,7 @@ Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patc ### HA support libs/utils ### # all archs Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch +Patch1001: RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch # cloud (x86_64 only) Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch @@ -482,6 +483,7 @@ rm -rf kubevirt/rsa* # regular patch doesnt work in build-section pushd support /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000} +/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001} %ifarch x86_64 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000} @@ -1521,6 +1523,10 @@ are located on corosync cluster nodes. %endif %changelog +* Wed May 15 2024 Oyvind Albrigtsen - 4.10.0-72 +- bundled jinja2: fix CVE-2024-34064 + Resolves: RHEL-35649 + * Fri May 3 2024 Oyvind Albrigtsen - 4.10.0-71 - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer Resolves: RHEL-35263