- bundled jinja2: fix CVE-2024-34064

Resolves: RHEL-35649
2024-05-15 16:23:29 +02:00 · 2024-05-15 16:23:29 +02:00 · e943caec6d
commit e943caec6d
parent 4a8d9d3e8d
2 changed files with 72 additions and 1 deletions
--- a/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
+++ b/RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
@ -0,0 +1,65 @@
+From d655030770081e2dfe46f90e27620472a502289d Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Thu, 2 May 2024 09:14:00 -0700
+Subject: [PATCH] disallow invalid characters in keys to xmlattr filter
+
+---
+ CHANGES.rst           |  6 ++++++
+ src/jinja2/filters.py | 22 +++++++++++++++++-----
+ tests/test_filters.py | 11 ++++++-----
+ 3 files changed, 29 insertions(+), 10 deletions(-)
+
+diff --git a/kubevirt/jinja2/filters.py b/kubevirt/jinja2/filters.py
+index 4cf3c11fb..acd11976e 100644
+--- a/kubevirt/jinja2/filters.py
+++ b/kubevirt/jinja2/filters.py
+@@ -250,7 +250,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
+     yield from value.items()
+ 
+ 
+-_space_re = re.compile(r"\s", flags=re.ASCII)
+# Check for characters that would move the parser state from key to value.
+# https://html.spec.whatwg.org/#attribute-name-state
+_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII)
+ 
+ 
+ @pass_eval_context
+@@ -259,8 +261,14 @@ def do_xmlattr(
+ ) -> str:
+     """Create an SGML/XML attribute string based on the items in a dict.
+ 
+-    If any key contains a space, this fails with a ``ValueError``. Values that
+-    are neither ``none`` nor ``undefined`` are automatically escaped.
+    **Values** that are neither ``none`` nor ``undefined`` are automatically
+    escaped, safely allowing untrusted user input.
+
+    User input should not be used as **keys** to this filter. If any key
+    contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals
+    sign, this fails with a ``ValueError``. Regardless of this, user input
+    should never be used as keys to this filter, or must be separately validated
+    first.
+ 
+     .. sourcecode:: html+jinja
+ 
+@@ -280,6 +288,10 @@ def do_xmlattr(
+     As you can see it automatically prepends a space in front of the item
+     if the filter returned something unless the second parameter is false.
+ 
+    .. versionchanged:: 3.1.4
+        Keys with ``/`` solidus, ``>`` greater-than sign, or ``=`` equals sign
+        are not allowed.
+
+     .. versionchanged:: 3.1.3
+         Keys with spaces are not allowed.
+     """
+@@ -289,8 +301,8 @@ def do_xmlattr(
+         if value is None or isinstance(value, Undefined):
+             continue
+ 
+-        if _space_re.search(key) is not None:
+-            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+        if _attr_key_re.search(key) is not None:
+            raise ValueError(f"Invalid character in attribute name: {key!r}")
+ 
+         items.append(f'{escape(key)}="{escape(value)}"')
+ 
--- a/fence-agents.spec
+++ b/fence-agents.spec
@ -59,7 +59,7 @@
 Name: fence-agents
 Summary: Set of unified programs capable of host isolation ("fencing")
 Version: 4.10.0
-Release: 71%{?alphatag:.%{alphatag}}%{?dist}
+Release: 72%{?alphatag:.%{alphatag}}%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://github.com/ClusterLabs/fence-agents
 Source0: https://fedorahosted.org/releases/f/e/fence-agents/%{name}-%{version}.tar.gz
@ -256,6 +256,7 @@ Patch54: RHEL-35263-fence_eps-add-fence_epsr2-for-ePowerSwitch-R2-and-newer.patc
 ### HA support libs/utils ###
 # all archs
 Patch1000: bz2217902-1-kubevirt-fix-bundled-dateutil-CVE-2007-4559.patch
+Patch1001: RHEL-35649-kubevirt-fix-bundled-jinja2-CVE-2024-34064.patch
 # cloud (x86_64 only)
 Patch2000: bz2217902-2-aws-awscli-azure-fix-bundled-dateutil-CVE-2007-4559.patch

@ -482,6 +483,7 @@ rm -rf kubevirt/rsa*
 # regular patch doesnt work in build-section
 pushd support
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1000}
+/usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH1001}

 %ifarch x86_64
 /usr/bin/patch --no-backup-if-mismatch -p1 --fuzz=0 < %{PATCH2000}
@ -1521,6 +1523,10 @@ are located on corosync cluster nodes.
 %endif

 %changelog
+* Wed May 15 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-72
+- bundled jinja2: fix CVE-2024-34064
+  Resolves: RHEL-35649
+
 * Fri May  3 2024 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.10.0-71
 - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer
  Resolves: RHEL-35263