Add go1.18.10 patch (#985)

* Add go1.18.10 patch

* add CVE-2023-24540

* add CVE-2023-24539

* update golang spec

projects/golang/go/1.18/patches/0010-go-1.18.10-eks-html-template-emit-filterFails.patch

@@ -0,0 +1,106 @@
+From 15041638e76a80da9d31f2dab994ae211c970c06 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Thu, 13 Apr 2023 14:01:50 -0700
+Subject: [PATCH] [release-branch.go1.19] html/template: emit filterFailsafe
+ for empty unquoted attr value
+
+
+# AWS EKS
+Backported To: go-1.18.10-eks
+Backported On: Wed, 3 May 2023
+Backported By: [email protected]
+Backported From: release-branch.go1.19
+Source Commit: https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5
+
+
+# Original Information
+
+An unquoted action used as an attribute value can result in unsafe
+behavior if it is empty, as HTML normalization will result in unexpected
+attributes, and may allow attribute injection. If executing a template
+results in a empty unquoted attribute value, emit filterFailsafe
+instead.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+For #59722
+Fixes #59815
+Fixes CVE-2023-29400
+
+Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
+Reviewed-by: Julie Qiu <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851498
+Reviewed-by: Roland Shoemaker <[email protected]>
+Run-TryBot: Damien Neil <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491357
+Run-TryBot: Carlos Amedee <[email protected]>
+TryBot-Result: Gopher Robot <[email protected]>
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+---
+ src/html/template/escape.go      |  5 ++---
+ src/html/template/escape_test.go | 15 +++++++++++++++
+ src/html/template/html.go        |  3 +++
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 2b11526f52..e1d8df8cf5 100644
+--- a/src/html/template/escape.go
++++ b/src/html/template/escape.go
+@@ -369,9 +369,8 @@ func normalizeEscFn(e string) string {
+ // for all x.
+ var redundantFuncs = map[string]map[string]bool{
+ 	"_html_template_commentescaper": {
+-		"_html_template_attrescaper":    true,
+-		"_html_template_nospaceescaper": true,
+-		"_html_template_htmlescaper":    true,
++		"_html_template_attrescaper": true,
++		"_html_template_htmlescaper": true,
+ 	},
+ 	"_html_template_cssescaper": {
+ 		"_html_template_attrescaper": true,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index 58f3f271b7..afa4f5d54e 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) {
+ 			`<img srcset={{",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"}}>`,
+ 			`<img srcset=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,>`,
+ 		},
++		{
++			"unquoted empty attribute value (plaintext)",
++			"<p name={{.U}}>",
++			"<p name=ZgotmplZ>",
++		},
++		{
++			"unquoted empty attribute value (url)",
++			"<p href={{.U}}>",
++			"<p href=ZgotmplZ>",
++		},
++		{
++			"quoted empty attribute value",
++			"<p name=\"{{.U}}\">",
++			"<p name=\"\">",
++		},
+ 	}
+
+ 	for _, test := range tests {
+diff --git a/src/html/template/html.go b/src/html/template/html.go
+index 19bd0ccb20..cb8cc11159 100644
+--- a/src/html/template/html.go
++++ b/src/html/template/html.go
+@@ -14,6 +14,9 @@ import (
+ // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
+ func htmlNospaceEscaper(args ...any) string {
+ 	s, t := stringify(args...)
++	if s == "" {
++		return filterFailsafe
++	}
+ 	if t == contentTypeHTML {
+ 		return htmlReplacer(stripTags(s), htmlNospaceNormReplacementTable, false)
+ 	}
+-- 
+2.39.2
+

projects/golang/go/1.18/patches/0011-go-1.18.10-eks-html-template-handle-all-JS-wh.patch

@@ -0,0 +1,99 @@
+From 3033cdf315fc69bae10f68ac40aff0d0d3d9f112 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Tue, 11 Apr 2023 16:27:43 +0100
+Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS
+ whitespace characters
+
+# AWS EKS
+Backported To: go-1.18.10-eks
+Backported On: Wed, 3 May 2023
+Backported By: [email protected]
+Backported From: release-branch.go1.19
+Source Commit: https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797
+
+
+# Original Information
+
+Rather than just a small set. Character class as defined by \s [0].
+
+Thanks to Juho Nurminen of Mattermost for reporting this.
+
+For #59721
+Fixes  #59813
+Fixes CVE-2023-24540
+
+[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes
+
+Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459
+Reviewed-by: Julie Qiu <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497
+Run-TryBot: Damien Neil <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491355
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+Reviewed-by: Carlos Amedee <[email protected]>
+TryBot-Bypass: Carlos Amedee <[email protected]>
+Run-TryBot: Carlos Amedee <[email protected]>
+---
+ src/html/template/js.go      |  8 +++++++-
+ src/html/template/js_test.go | 11 +++++++----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 50523d00f1..aa18f7ffe8 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -13,6 +13,11 @@ import (
+ 	"unicode/utf8"
+ )
+
++// jsWhitespace contains all of the JS whitespace characters, as defined
++// by the \s character class.
++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes.
++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff"
++
+ // nextJSCtx returns the context that determines whether a slash after the
+ // given run of tokens starts a regular expression instead of a division
+ // operator: / or /=.
+@@ -26,7 +31,8 @@ import (
+ // JavaScript 2.0 lexical grammar and requires one token of lookbehind:
+ // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html
+ func nextJSCtx(s []byte, preceding jsCtx) jsCtx {
+-	s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029")
++	// Trim all JS whitespace characters
++	s = bytes.TrimRight(s, jsWhitespace)
+ 	if len(s) == 0 {
+ 		return preceding
+ 	}
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index 56579d8d30..41ecee6f6b 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) {
+ 		{jsCtxDivOp, "0"},
+ 		// Dots that are part of a number are div preceders.
+ 		{jsCtxDivOp, "0."},
++		// Some JS interpreters treat NBSP as a normal space, so
++		// we must too in order to properly escape things.
++		{jsCtxRegexp, "=\u00A0"},
+ 	}
+
+ 	for _, test := range tests {
+-		if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+-		if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx {
+-			t.Errorf("want %s got %q", test.jsCtx, test.s)
++		if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx {
++			t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx)
+ 		}
+ 	}
+
+-- 
+2.39.2
+

projects/golang/go/1.18/patches/0012-go-1.18.10-eks-html-template-disallow-angle-b.patch

@@ -0,0 +1,72 @@
+From 38bcc1e9faf31b91c70ccb68b72b6bb7485e7f1b Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Thu, 13 Apr 2023 15:40:44 -0700
+Subject: [PATCH] [release-branch.go1.19] html/template: disallow angle
+ brackets in CSS values
+
+# AWS EKS
+Backported To: go-1.18.10-eks
+Backported On: Wed, 3 May 2023
+Backported By: [email protected]
+Backported From: release-branch.go1.19
+Source Commit: https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80
+
+# Original Information
+
+Angle brackets should not appear in CSS contexts, as they may affect
+token boundaries (such as closing a <style> tag, resulting in
+injection). Instead emit filterFailsafe, matching the behavior for other
+dangerous characters.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+For #59720
+Fixes #59811
+Fixes CVE-2023-24539
+
+Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636
+Reviewed-by: Julie Qiu <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851496
+Run-TryBot: Damien Neil <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491335
+Run-TryBot: Carlos Amedee <[email protected]>
+Reviewed-by: Dmitri Shuralyov <[email protected]>
+TryBot-Result: Gopher Robot <[email protected]>
+---
+ src/html/template/css.go      | 2 +-
+ src/html/template/css_test.go | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/html/template/css.go b/src/html/template/css.go
+index 890a0c6b22..f650d8b3e8 100644
+--- a/src/html/template/css.go
++++ b/src/html/template/css.go
+@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string {
+ 	// inside a string that might embed JavaScript source.
+ 	for i, c := range b {
+ 		switch c {
+-		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}':
++		case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>':
+ 			return filterFailsafe
+ 		case '-':
+ 			// Disallow <!-- or -->.
+diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go
+index a735638b03..2b76256a76 100644
+--- a/src/html/template/css_test.go
++++ b/src/html/template/css_test.go
+@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) {
+ 		{`-exp\000052 ession(alert(1337))`, "ZgotmplZ"},
+ 		{`-expre\0000073sion`, "-expre\x073sion"},
+ 		{`@import url evil.css`, "ZgotmplZ"},
++		{"<", "ZgotmplZ"},
++		{">", "ZgotmplZ"},
+ 	}
+ 	for _, test := range tests {
+ 		got := cssValueFilter(test.css)
+-- 
+2.39.2
+

projects/golang/go/1.18/rpmbuild/SPECS/golang.spec

@@ -169,6 +169,9 @@ Patch6:       0006-go-1.18.10-eks-go-net-textproto-avoid-overpredic.patch
 Patch7:       0007-go-1.18.10-eks-mime-multipart-avoid-excessive.patch
 Patch8:       0008-go-1.18.10-eks-net-textproto-mime-multipart-i.patch
 Patch9:       0009-go-1.18.10-eks-mime-multipart-limit-parsed-mi.patch
+Patch10:      0010-go-1.18.10-eks-html-template-emit-filterFails.patch
+Patch11:      0011-go-1.18.10-eks-html-template-handle-all-JS-wh.patch
+Patch12:      0012-go-1.18.10-eks-html-template-disallow-angle-b.patch
 
 Patch101:       0101-syscall-expose-IfInfomsg.X__ifi_pad-on-s390x.patch
 Patch102:       0102-cmd-go-disable-Google-s-proxy-and-sumdb.patch
@@ -551,6 +554,11 @@ fi
 %endif
 
 %changelog
+* Wed May 3 2023 Sajia Zafreen <[email protected]> - 1.18.10-4
+- Includes security fix for CVE-2023-29400
+- Includes security fix for CVE-2023-24540
+- Includes security fix for CVE-2023-24539
+
 * Wed Apr 5 2023 Bhavitha Koduru <[email protected]> - 1.18.10-3
 - Includes security fix for CVE-2023-24537
 - Includes security fix for CVE-2023-24534