diff mbox series

[dunfell,v3] go: Update fix for CVE-2023-24538 & CVE-2023-39318

Message ID 20230929192133.14948-1-skulkarni@mvista.com
State Accepted, archived
Delegated to: Steve Sakoman
Headers show
Series [dunfell,v3] go: Update fix for CVE-2023-24538 & CVE-2023-39318 | expand

Commit Message

Shubham Kulkarni Sept. 29, 2023, 7:21 p.m. UTC
From: Shubham Kulkarni <skulkarni@mvista.com>

Add missing files in fix for CVE-2023-24538 & CVE-2023-39318

Upstream Link -
CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c

Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
---
 meta/recipes-devtools/go/go-1.14.inc          |   5 +-
 .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
 .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
 .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
 .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
 .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
 ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
 .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
 8 files changed, 2124 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
 rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)

Comments

Steve Sakoman Sept. 30, 2023, 2:32 a.m. UTC | #1
Sorry, this patch doesn't apply:

Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
error: corrupt patch at line 478
error: could not build fake ancestor
Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318

Steve

On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via
lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org>
wrote:
>
> From: Shubham Kulkarni <skulkarni@mvista.com>
>
> Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
>
> Upstream Link -
> CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
> CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
>
> Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> ---
>  meta/recipes-devtools/go/go-1.14.inc          |   5 +-
>  .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
>  .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
>  .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
>  .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
>  .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
>  ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
>  .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
>  8 files changed, 2124 insertions(+), 20 deletions(-)
>  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
>  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
>  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
>  rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)
>
> diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
> index be63f64825..091b778de8 100644
> --- a/meta/recipes-devtools/go/go-1.14.inc
> +++ b/meta/recipes-devtools/go/go-1.14.inc
> @@ -60,7 +60,10 @@ SRC_URI += "\
>      file://CVE-2023-24534.patch \
>      file://CVE-2023-24538-1.patch \
>      file://CVE-2023-24538-2.patch \
> -    file://CVE-2023-24538-3.patch \
> +    file://CVE-2023-24538_3.patch \
> +    file://CVE-2023-24538_4.patch \
> +    file://CVE-2023-24538_5.patch \
> +    file://CVE-2023-24538_6.patch \
>      file://CVE-2023-24539.patch \
>      file://CVE-2023-24540.patch \
>      file://CVE-2023-29405-1.patch \
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> index eda26e5ff6..23c5075e41 100644
> --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> @@ -1,7 +1,7 @@
>  From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
>  From: Brad Fitzpatrick <bradfitz@golang.org>
>  Date: Mon, 2 Aug 2021 14:55:51 -0700
> -Subject: [PATCH 1/3] net/netip: add new IP address package
> +Subject: [PATCH 1/6] net/netip: add new IP address package
>
>  Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
>  Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
> @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
>
>  Dependency Patch #1
>
> -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
> +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
>  CVE: CVE-2023-24538
>  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>  ---
> diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> index 5036f2890b..3840617a32 100644
> --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> @@ -1,7 +1,7 @@
>  From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
>  From: empijei <robclap8@gmail.com>
>  Date: Fri, 27 Mar 2020 19:27:55 +0100
> -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
> +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
>   for JSON compatibility
>  MIME-Version: 1.0
>  Content-Type: text/plain; charset=UTF-8
> @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072
>  CVE: CVE-2023-24538
>  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>  ---
> - src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
> - src/text/template/funcs.go |  8 +++---
> - 2 files changed, 46 insertions(+), 32 deletions(-)
> + src/html/template/content_test.go  | 70 +++++++++++++++++++-------------------
> + src/html/template/escape_test.go   |  6 ++--
> + src/html/template/example_test.go  |  6 ++--
> + src/html/template/js.go            | 70 +++++++++++++++++++++++---------------
> + src/html/template/js_test.go       | 68 ++++++++++++++++++------------------
> + src/html/template/template_test.go | 39 +++++++++++++++++++++
> + src/text/template/exec_test.go     |  6 ++--
> + src/text/template/funcs.go         |  8 ++---
> + 8 files changed, 163 insertions(+), 110 deletions(-)
>
> +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
> +index 72d56f5..bd86527 100644
> +--- a/src/html/template/content_test.go
> ++++ b/src/html/template/content_test.go
> +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
> +               HTML(`Hello, <b>World</b> &amp;tc!`),
> +               HTMLAttr(` dir="ltr"`),
> +               JS(`c && alert("Hello, World!");`),
> +-              JSStr(`Hello, World & O'Reilly\x21`),
> ++              JSStr(`Hello, World & O'Reilly\u0021`),
> +               URL(`greeting=H%69,&addressee=(World)`),
> +               Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
> +               URL(`,foo/,`),
> +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello, <b>World</b> &amp;tc!`,
> +                               ` dir=&#34;ltr&#34;`,
> +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
> +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> +                               `greeting=H%69,&amp;addressee=(World)`,
> +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
> +                               `,foo/,`,
> +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello,&#32;World&#32;&amp;tc!`,
> +                               `&#32;dir&#61;&#34;ltr&#34;`,
> +                               `c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
> +-                              `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
> ++                              `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
> +                               `greeting&#61;H%69,&amp;addressee&#61;(World)`,
> +                               `greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
> +                               `,foo/,`,
> +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello, World &amp;tc!`,
> +                               ` dir=&#34;ltr&#34;`,
> +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
> +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> +                               `greeting=H%69,&amp;addressee=(World)`,
> +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
> +                               `,foo/,`,
> +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
> +                               ` dir=&#34;ltr&#34;`,
> +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
> +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> +                               `greeting=H%69,&amp;addressee=(World)`,
> +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
> +                               `,foo/,`,
> +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
> +                               // Not escaped.
> +                               `c && alert("Hello, World!");`,
> +                               // Escape sequence not over-escaped.
> +-                              `"Hello, World & O'Reilly\x21"`,
> ++                              `"Hello, World & O'Reilly\u0021"`,
> +                               `"greeting=H%69,\u0026addressee=(World)"`,
> +                               `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
> +                               `",foo/,"`,
> +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
> +                               // Not JS escaped but HTML escaped.
> +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
> +                               // Escape sequence not over-escaped.
> +-                              `&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
> ++                              `&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
> +                               `&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
> +                               `&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
> +                               `&#34;,foo/,&#34;`,
> +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
> +               {
> +                       `<script>alert("{{.}}")</script>`,
> +                       []string{
> +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
> +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
> +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
> +-                              ` dir=\x22ltr\x22`,
> +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
> ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
> ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
> ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> ++                              ` dir=\u0022ltr\u0022`,
> ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
> +                               // Escape sequence not over-escaped.
> +-                              `Hello, World \x26 O\x27Reilly\x21`,
> +-                              `greeting=H%69,\x26addressee=(World)`,
> +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
> ++                              `greeting=H%69,\u0026addressee=(World)`,
> ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> +                               `,foo\/,`,
> +                       },
> +               },
> +               {
> +                       `<script type="text/javascript">alert("{{.}}")</script>`,
> +                       []string{
> +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
> +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
> +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
> +-                              ` dir=\x22ltr\x22`,
> +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
> ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
> ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
> ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> ++                              ` dir=\u0022ltr\u0022`,
> ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
> +                               // Escape sequence not over-escaped.
> +-                              `Hello, World \x26 O\x27Reilly\x21`,
> +-                              `greeting=H%69,\x26addressee=(World)`,
> +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
> ++                              `greeting=H%69,\u0026addressee=(World)`,
> ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> +                               `,foo\/,`,
> +                       },
> +               },
> +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
> +                               // Not escaped.
> +                               `c && alert("Hello, World!");`,
> +                               // Escape sequence not over-escaped.
> +-                              `"Hello, World & O'Reilly\x21"`,
> ++                              `"Hello, World & O'Reilly\u0021"`,
> +                               `"greeting=H%69,\u0026addressee=(World)"`,
> +                               `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
> +                               `",foo/,"`,
> +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello, <b>World</b> &amp;tc!`,
> +                               ` dir=&#34;ltr&#34;`,
> +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
> +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> +                               `greeting=H%69,&amp;addressee=(World)`,
> +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
> +                               `,foo/,`,
> +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
> +               {
> +                       `<button onclick='alert("{{.}}")'>`,
> +                       []string{
> +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
> +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
> +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
> +-                              ` dir=\x22ltr\x22`,
> +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
> ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
> ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
> ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> ++                              ` dir=\u0022ltr\u0022`,
> ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
> +                               // Escape sequence not over-escaped.
> +-                              `Hello, World \x26 O\x27Reilly\x21`,
> +-                              `greeting=H%69,\x26addressee=(World)`,
> +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
> ++                              `greeting=H%69,\u0026addressee=(World)`,
> ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> +                               `,foo\/,`,
> +                       },
> +               },
> +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> +                               `%20dir%3d%22ltr%22`,
> +                               `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> +-                              `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> ++                              `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> +                               // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
> +                               `greeting=H%69,&amp;addressee=%28World%29`,
> +                               `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
> +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
> +                               `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> +                               `%20dir%3d%22ltr%22`,
> +                               `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> +-                              `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> ++                              `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> +                               // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
> +                               `greeting=H%69,&addressee=%28World%29`,
> +                               `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
> +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
> +index e72a9ba..c709660 100644
> +--- a/src/html/template/escape_test.go
> ++++ b/src/html/template/escape_test.go
> +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
> +               {
> +                       "jsStr",
> +                       "<button onclick='alert(&quot;{{.H}}&quot;)'>",
> +-                      `<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
> ++                      `<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
> +               },
> +               {
> +                       "badMarshaler",
> +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
> +               {
> +                       "jsRe",
> +                       `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
> +-                      `<button onclick='alert(/foo\x2bbar/.test(""))'>`,
> ++                      `<button onclick='alert(/foo\u002bbar/.test(""))'>`,
> +               },
> +               {
> +                       "jsReBlank",
> +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
> +                               "main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
> +                               "helper": `{{11}} of {{"<100>"}}`,
> +                       },
> +-                      `<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
> ++                      `<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
> +               },
> +               // A non-recursive template that ends in a different context.
> +               // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
> +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
> +index 9d965f1..6cf936f 100644
> +--- a/src/html/template/example_test.go
> ++++ b/src/html/template/example_test.go
> +@@ -116,9 +116,9 @@ func Example_escape() {
> +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
> +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
> +       // &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
> +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> +-      // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
> ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
> ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
> ++      // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
> +       // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
> +
> + }
>  diff --git a/src/html/template/js.go b/src/html/template/js.go
>  index 0e91458..ea9c183 100644
>  --- a/src/html/template/js.go
> @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
>         '?':  `\?`,
>         '[':  `\[`,
>         '\\': `\\`,
> +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
> +index 075adaa..d7ee47b 100644
> +--- a/src/html/template/js_test.go
> ++++ b/src/html/template/js_test.go
> +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
> +               {"foo", `"foo"`},
> +               // Newlines.
> +               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
> +-              // "\v" == "v" on IE 6 so use "\x0b" instead.
> ++              // "\v" == "v" on IE 6 so use "\u000b" instead.
> +               {"\t\x0b", `"\t\u000b"`},
> +               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
> +               {[]interface{}{}, "[]"},
> +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
> +       }{
> +               {"", ``},
> +               {"foo", `foo`},
> +-              {"\u0000", `\0`},
> ++              {"\u0000", `\u0000`},
> +               {"\t", `\t`},
> +               {"\n", `\n`},
> +               {"\r", `\r`},
> +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
> +               {"\\n", `\\n`},
> +               {"foo\r\nbar", `foo\r\nbar`},
> +               // Preserve attribute boundaries.
> +-              {`"`, `\x22`},
> +-              {`'`, `\x27`},
> ++              {`"`, `\u0022`},
> ++              {`'`, `\u0027`},
> +               // Allow embedding in HTML without further escaping.
> +-              {`&amp;`, `\x26amp;`},
> ++              {`&amp;`, `\u0026amp;`},
> +               // Prevent breaking out of text node and element boundaries.
> +-              {"</script>", `\x3c\/script\x3e`},
> +-              {"<![CDATA[", `\x3c![CDATA[`},
> +-              {"]]>", `]]\x3e`},
> ++              {"</script>", `\u003c\/script\u003e`},
> ++              {"<![CDATA[", `\u003c![CDATA[`},
> ++              {"]]>", `]]\u003e`},
> +               // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
> +               //   "The text in style, script, title, and textarea elements
> +               //   must not have an escaping text span start that is not
> +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
> +               // allow regular text content to be interpreted as script
> +               // allowing script execution via a combination of a JS string
> +               // injection followed by an HTML text injection.
> +-              {"<!--", `\x3c!--`},
> +-              {"-->", `--\x3e`},
> ++              {"<!--", `\u003c!--`},
> ++              {"-->", `--\u003e`},
> +               // From https://code.google.com/p/doctype/wiki/ArticleUtf7
> +               {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
> +-                      `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
> ++                      `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
> +               },
> +               // Invalid UTF-8 sequence
> +               {"foo\xA0bar", "foo\xA0bar"},
> +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
> +       }{
> +               {"", `(?:)`},
> +               {"foo", `foo`},
> +-              {"\u0000", `\0`},
> ++              {"\u0000", `\u0000`},
> +               {"\t", `\t`},
> +               {"\n", `\n`},
> +               {"\r", `\r`},
> +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
> +               {"\\n", `\\n`},
> +               {"foo\r\nbar", `foo\r\nbar`},
> +               // Preserve attribute boundaries.
> +-              {`"`, `\x22`},
> +-              {`'`, `\x27`},
> ++              {`"`, `\u0022`},
> ++              {`'`, `\u0027`},
> +               // Allow embedding in HTML without further escaping.
> +-              {`&amp;`, `\x26amp;`},
> ++              {`&amp;`, `\u0026amp;`},
> +               // Prevent breaking out of text node and element boundaries.
> +-              {"</script>", `\x3c\/script\x3e`},
> +-              {"<![CDATA[", `\x3c!\[CDATA\[`},
> +-              {"]]>", `\]\]\x3e`},
> ++              {"</script>", `\u003c\/script\u003e`},
> ++              {"<![CDATA[", `\u003c!\[CDATA\[`},
> ++              {"]]>", `\]\]\u003e`},
> +               // Escaping text spans.
> +-              {"<!--", `\x3c!\-\-`},
> +-              {"-->", `\-\-\x3e`},
> ++              {"<!--", `\u003c!\-\-`},
> ++              {"-->", `\-\-\u003e`},
> +               {"*", `\*`},
> +-              {"+", `\x2b`},
> ++              {"+", `\u002b`},
> +               {"?", `\?`},
> +               {"[](){}", `\[\]\(\)\{\}`},
> +               {"$foo|x.y", `\$foo\|x\.y`},
> +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
> +               {
> +                       "jsStrEscaper",
> +                       jsStrEscaper,
> +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
> +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
> +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> +-                              ` !\x22#$%\x26\x27()*\x2b,-.\/` +
> +-                              `0123456789:;\x3c=\x3e?` +
> ++                      `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
> ++                              `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> ++                              `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> ++                              ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
> ++                              `0123456789:;\u003c=\u003e?` +
> +                               `@ABCDEFGHIJKLMNO` +
> +                               `PQRSTUVWXYZ[\\]^_` +
> +                               "`abcdefghijklmno" +
> +-                              "pqrstuvwxyz{|}~\x7f" +
> ++                              "pqrstuvwxyz{|}~\u007f" +
> +                               "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
> +               },
> +               {
> +                       "jsRegexpEscaper",
> +                       jsRegexpEscaper,
> +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
> +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
> +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> +-                              ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
> +-                              `0123456789:;\x3c=\x3e\?` +
> ++                      `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
> ++                              `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> ++                              `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> ++                              ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
> ++                              `0123456789:;\u003c=\u003e\?` +
> +                               `@ABCDEFGHIJKLMNO` +
> +                               `PQRSTUVWXYZ\[\\\]\^_` +
> +                               "`abcdefghijklmno" +
> +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
> +index 13e6ba4..86bd4db 100644
> +--- a/src/html/template/template_test.go
> ++++ b/src/html/template/template_test.go
> +@@ -6,6 +6,7 @@ package template_test
> +
> + import (
> +       "bytes"
> ++      "encoding/json"
> +       . "html/template"
> +       "strings"
> +       "testing"
> +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
> +       c.mustExecute(c.root, nil, "12.34 7.5")
> + }
> +
> ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
> ++      // See #33671 and #37634 for more context on this.
> ++      tests := []struct{ name, in string }{
> ++              {"empty", ""},
> ++              {"invalid", string(rune(-1))},
> ++              {"null", "\u0000"},
> ++              {"unit separator", "\u001F"},
> ++              {"tab", "\t"},
> ++              {"gt and lt", "<>"},
> ++              {"quotes", `'"`},
> ++              {"ASCII letters", "ASCII letters"},
> ++              {"Unicode", "ʕ⊙ϖ⊙ʔ"},
> ++              {"Pizza", "
Shubham Kulkarni Sept. 30, 2023, 3:41 p.m. UTC | #2
Apologies Steve,

I will look into the issue and send a new patch for Dunfell. It worked for
me on my machine. Maybe something I missed.

Thanks,
Shubham Kulkarni

On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote:

> Sorry, this patch doesn't apply:
>
> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
> error: corrupt patch at line 478
> error: could not build fake ancestor
> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318
>
> Steve
>
> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via
> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org>
> wrote:
> >
> > From: Shubham Kulkarni <skulkarni@mvista.com>
> >
> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
> >
> > Upstream Link -
> > CVE-2023-24538:
> https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
> > CVE-2023-39318:
> https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
> >
> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> > ---
> >  meta/recipes-devtools/go/go-1.14.inc          |   5 +-
> >  .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
> >  .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
> >  .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
> >  .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
> >  .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
> >  ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
> >  .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
> >  8 files changed, 2124 insertions(+), 20 deletions(-)
> >  create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
> >  create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
> >  create mode 100644
> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
> >  rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch =>
> CVE-2023-24538_6.patch} (53%)
> >
> > diff --git a/meta/recipes-devtools/go/go-1.14.inc
> b/meta/recipes-devtools/go/go-1.14.inc
> > index be63f64825..091b778de8 100644
> > --- a/meta/recipes-devtools/go/go-1.14.inc
> > +++ b/meta/recipes-devtools/go/go-1.14.inc
> > @@ -60,7 +60,10 @@ SRC_URI += "\
> >      file://CVE-2023-24534.patch \
> >      file://CVE-2023-24538-1.patch \
> >      file://CVE-2023-24538-2.patch \
> > -    file://CVE-2023-24538-3.patch \
> > +    file://CVE-2023-24538_3.patch \
> > +    file://CVE-2023-24538_4.patch \
> > +    file://CVE-2023-24538_5.patch \
> > +    file://CVE-2023-24538_6.patch \
> >      file://CVE-2023-24539.patch \
> >      file://CVE-2023-24540.patch \
> >      file://CVE-2023-29405-1.patch \
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > index eda26e5ff6..23c5075e41 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
> > @@ -1,7 +1,7 @@
> >  From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
> >  From: Brad Fitzpatrick <bradfitz@golang.org>
> >  Date: Mon, 2 Aug 2021 14:55:51 -0700
> > -Subject: [PATCH 1/3] net/netip: add new IP address package
> > +Subject: [PATCH 1/6] net/netip: add new IP address package
> >
> >  Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
> >  Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
> >
> >  Dependency Patch #1
> >
> > -Upstream-Status: Backport [
> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
> ]
> > +Upstream-Status: Backport from
> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
> >  CVE: CVE-2023-24538
> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> >  ---
> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > index 5036f2890b..3840617a32 100644
> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
> > @@ -1,7 +1,7 @@
> >  From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
> >  From: empijei <robclap8@gmail.com>
> >  Date: Fri, 27 Mar 2020 19:27:55 +0100
> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode
> escapes
> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode
> escapes
> >   for JSON compatibility
> >  MIME-Version: 1.0
> >  Content-Type: text/plain; charset=UTF-8
> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from
> https://github.com/golang/go/commit/d4d298040d072
> >  CVE: CVE-2023-24538
> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
> >  ---
> > - src/html/template/js.go    | 70
> +++++++++++++++++++++++++++-------------------
> > - src/text/template/funcs.go |  8 +++---
> > - 2 files changed, 46 insertions(+), 32 deletions(-)
> > + src/html/template/content_test.go  | 70
> +++++++++++++++++++-------------------
> > + src/html/template/escape_test.go   |  6 ++--
> > + src/html/template/example_test.go  |  6 ++--
> > + src/html/template/js.go            | 70
> +++++++++++++++++++++++---------------
> > + src/html/template/js_test.go       | 68
> ++++++++++++++++++------------------
> > + src/html/template/template_test.go | 39 +++++++++++++++++++++
> > + src/text/template/exec_test.go     |  6 ++--
> > + src/text/template/funcs.go         |  8 ++---
> > + 8 files changed, 163 insertions(+), 110 deletions(-)
> >
> > +diff --git a/src/html/template/content_test.go
> b/src/html/template/content_test.go
> > +index 72d56f5..bd86527 100644
> > +--- a/src/html/template/content_test.go
> > ++++ b/src/html/template/content_test.go
> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
> > +               HTML(`Hello, <b>World</b> &amp;tc!`),
> > +               HTMLAttr(` dir="ltr"`),
> > +               JS(`c && alert("Hello, World!");`),
> > +-              JSStr(`Hello, World & O'Reilly\x21`),
> > ++              JSStr(`Hello, World & O'Reilly\u0021`),
> > +               URL(`greeting=H%69,&addressee=(World)`),
> > +               Srcset(`greeting=H%69,&addressee=(World) 2x,
> https://golang.org/favicon.ico 500.5w`),
> > +               URL(`,foo/,`),
> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
> > +                               `Hello, <b>World</b> &amp;tc!`,
> > +                               ` dir=&#34;ltr&#34;`,
> > +                               `c &amp;&amp; alert(&#34;Hello,
> World!&#34;);`,
> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> > +                               `greeting=H%69,&amp;addressee=(World)`,
> > +                               `greeting=H%69,&amp;addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > +                               `,foo/,`,
> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
> > +                               `Hello,&#32;World&#32;&amp;tc!`,
> > +                               `&#32;dir&#61;&#34;ltr&#34;`,
> > +
>  `c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
> > +-
> `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
> > ++
> `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
> > +
>  `greeting&#61;H%69,&amp;addressee&#61;(World)`,
> > +
>  `greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;
> https://golang.org/favicon.ico&#32;500.5w`
> <https://golang.org/favicon.ico&#32;500.5w>,
> > +                               `,foo/,`,
> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
> > +                               `Hello, World &amp;tc!`,
> > +                               ` dir=&#34;ltr&#34;`,
> > +                               `c &amp;&amp; alert(&#34;Hello,
> World!&#34;);`,
> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> > +                               `greeting=H%69,&amp;addressee=(World)`,
> > +                               `greeting=H%69,&amp;addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > +                               `,foo/,`,
> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
> > +                               `Hello, &lt;b&gt;World&lt;/b&gt;
> &amp;tc!`,
> > +                               ` dir=&#34;ltr&#34;`,
> > +                               `c &amp;&amp; alert(&#34;Hello,
> World!&#34;);`,
> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> > +                               `greeting=H%69,&amp;addressee=(World)`,
> > +                               `greeting=H%69,&amp;addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > +                               `,foo/,`,
> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
> > +                               // Not escaped.
> > +                               `c && alert("Hello, World!");`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `"Hello, World & O'Reilly\x21"`,
> > ++                              `"Hello, World & O'Reilly\u0021"`,
> > +
>  `"greeting=H%69,\u0026addressee=(World)"`,
> > +                               `"greeting=H%69,\u0026addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w"`,
> > +                               `",foo/,"`,
> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
> > +                               // Not JS escaped but HTML escaped.
> > +                               `c &amp;&amp; alert(&#34;Hello,
> World!&#34;);`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `&#34;Hello, World &amp;
> O&#39;Reilly\x21&#34;`,
> > ++                              `&#34;Hello, World &amp;
> O&#39;Reilly\u0021&#34;`,
> > +
>  `&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
> > +
>  `&#34;greeting=H%69,\u0026addressee=(World) 2x,
> https://golang.org/favicon.ico 500.5w&#34;`,
> > +                               `&#34;,foo/,&#34;`,
> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
> > +               {
> > +                       `<script>alert("{{.}}")</script>`,
> > +                       []string{
> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +-                              `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +-                              ` dir=\x22ltr\x22`,
> > +-                              `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++                              `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++                              `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++                              `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++                              ` dir=\u0022ltr\u0022`,
> > ++                              `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
> > +-                              `greeting=H%69,\x26addressee=(World)`,
> > +-                              `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++                              `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++                              `greeting=H%69,\u0026addressee=(World)`,
> > ++                              `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > +                               `,foo\/,`,
> > +                       },
> > +               },
> > +               {
> > +                       `<script
> type="text/javascript">alert("{{.}}")</script>`,
> > +                       []string{
> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +-                              `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +-                              ` dir=\x22ltr\x22`,
> > +-                              `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++                              `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++                              `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++                              `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++                              ` dir=\u0022ltr\u0022`,
> > ++                              `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
> > +-                              `greeting=H%69,\x26addressee=(World)`,
> > +-                              `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++                              `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++                              `greeting=H%69,\u0026addressee=(World)`,
> > ++                              `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > +                               `,foo\/,`,
> > +                       },
> > +               },
> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
> > +                               // Not escaped.
> > +                               `c && alert("Hello, World!");`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `"Hello, World & O'Reilly\x21"`,
> > ++                              `"Hello, World & O'Reilly\u0021"`,
> > +
>  `"greeting=H%69,\u0026addressee=(World)"`,
> > +                               `"greeting=H%69,\u0026addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w"`,
> > +                               `",foo/,"`,
> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
> > +                               `Hello, <b>World</b> &amp;tc!`,
> > +                               ` dir=&#34;ltr&#34;`,
> > +                               `c &amp;&amp; alert(&#34;Hello,
> World!&#34;);`,
> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
> > +                               `greeting=H%69,&amp;addressee=(World)`,
> > +                               `greeting=H%69,&amp;addressee=(World)
> 2x, https://golang.org/favicon.ico 500.5w`,
> > +                               `,foo/,`,
> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
> > +               {
> > +                       `<button onclick='alert("{{.}}")'>`,
> > +                       []string{
> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
> \x26bar;`,
> > +-                              `a[href =~ \x22\/\/example.com
> \x22]#foo`,
> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
> \x26amp;tc!`,
> > +-                              ` dir=\x22ltr\x22`,
> > +-                              `c \x26\x26 alert(\x22Hello,
> World!\x22);`,
> > ++                              `\u003cb\u003e \u0022foo%\u0022
> O\u0027Reilly \u0026bar;`,
> > ++                              `a[href =~ \u0022\/\/example.com
> \u0022]#foo`,
> > ++                              `Hello,
> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
> > ++                              ` dir=\u0022ltr\u0022`,
> > ++                              `c \u0026\u0026 alert(\u0022Hello,
> World!\u0022);`,
> > +                               // Escape sequence not over-escaped.
> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
> > +-                              `greeting=H%69,\x26addressee=(World)`,
> > +-                              `greeting=H%69,\x26addressee=(World) 2x,
> https:\/\/golang.org\/favicon.ico 500.5w`,
> > ++                              `Hello, World \u0026
> O\u0027Reilly\u0021`,
> > ++                              `greeting=H%69,\u0026addressee=(World)`,
> > ++                              `greeting=H%69,\u0026addressee=(World)
> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
> > +                               `,foo\/,`,
> > +                       },
> > +               },
> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
> > +
>  `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> > +                               `%20dir%3d%22ltr%22`,
> > +
>  `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> > +-
> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> > ++
> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> > +                               // Quotes and parens are escaped but %69
> is not over-escaped. HTML escaping is done.
> > +
>  `greeting=H%69,&amp;addressee=%28World%29`,
> > +
>  `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
> 2fgolang.org%2ffavicon.ico%20500.5w`,
> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
> > +
>  `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
> > +                               `%20dir%3d%22ltr%22`,
> > +
>  `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
> > +-
> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
> > ++
> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
> > +                               // Quotes and parens are escaped but %69
> is not over-escaped. HTML escaping is not done.
> > +                               `greeting=H%69,&addressee=%28World%29`,
> > +
>  `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
> 2fgolang.org%2ffavicon.ico%20500.5w`,
> > +diff --git a/src/html/template/escape_test.go
> b/src/html/template/escape_test.go
> > +index e72a9ba..c709660 100644
> > +--- a/src/html/template/escape_test.go
> > ++++ b/src/html/template/escape_test.go
> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
> > +               {
> > +                       "jsStr",
> > +                       "<button onclick='alert(&quot;{{.H}}&quot;)'>",
> > +-                      `<button
> onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
> > ++                      `<button
> onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
> > +               },
> > +               {
> > +                       "badMarshaler",
> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
> > +               {
> > +                       "jsRe",
> > +                       `<button
> onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
> > +-                      `<button
> onclick='alert(/foo\x2bbar/.test(""))'>`,
> > ++                      `<button
> onclick='alert(/foo\u002bbar/.test(""))'>`,
> > +               },
> > +               {
> > +                       "jsReBlank",
> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
> > +                               "main":   `<button
> onclick="title='{{template "helper"}}'; ...">{{template
> "helper"}}</button>`,
> > +                               "helper": `{{11}} of {{"<100>"}}`,
> > +                       },
> > +-                      `<button onclick="title='11 of \x3c100\x3e';
> ...">11 of &lt;100&gt;</button>`,
> > ++                      `<button onclick="title='11 of \u003c100\u003e';
> ...">11 of &lt;100&gt;</button>`,
> > +               },
> > +               // A non-recursive template that ends in a different
> context.
> > +               // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
> > +diff --git a/src/html/template/example_test.go
> b/src/html/template/example_test.go
> > +index 9d965f1..6cf936f 100644
> > +--- a/src/html/template/example_test.go
> > ++++ b/src/html/template/example_test.go
> > +@@ -116,9 +116,9 @@ func Example_escape() {
> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &
> lt;tasty@example.com&gt;
> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &
> lt;tasty@example.com&gt;
> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#
> 34;32&lt;tasty@example.com&gt;
> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
> > +-      // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
> \u003E
> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
> \u003E
> > ++      // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com
> \u003E
> > +       // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
> > +
> > + }
> >  diff --git a/src/html/template/js.go b/src/html/template/js.go
> >  index 0e91458..ea9c183 100644
> >  --- a/src/html/template/js.go
> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
> >         '?':  `\?`,
> >         '[':  `\[`,
> >         '\\': `\\`,
> > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
> > +index 075adaa..d7ee47b 100644
> > +--- a/src/html/template/js_test.go
> > ++++ b/src/html/template/js_test.go
> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
> > +               {"foo", `"foo"`},
> > +               // Newlines.
> > +               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
> > +-              // "\v" == "v" on IE 6 so use "\x0b" instead.
> > ++              // "\v" == "v" on IE 6 so use "\u000b" instead.
> > +               {"\t\x0b", `"\t\u000b"`},
> > +               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
> > +               {[]interface{}{}, "[]"},
> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
> > +       }{
> > +               {"", ``},
> > +               {"foo", `foo`},
> > +-              {"\u0000", `\0`},
> > ++              {"\u0000", `\u0000`},
> > +               {"\t", `\t`},
> > +               {"\n", `\n`},
> > +               {"\r", `\r`},
> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
> > +               {"\\n", `\\n`},
> > +               {"foo\r\nbar", `foo\r\nbar`},
> > +               // Preserve attribute boundaries.
> > +-              {`"`, `\x22`},
> > +-              {`'`, `\x27`},
> > ++              {`"`, `\u0022`},
> > ++              {`'`, `\u0027`},
> > +               // Allow embedding in HTML without further escaping.
> > +-              {`&amp;`, `\x26amp;`},
> > ++              {`&amp;`, `\u0026amp;`},
> > +               // Prevent breaking out of text node and element
> boundaries.
> > +-              {"</script>", `\x3c\/script\x3e`},
> > +-              {"<![CDATA[", `\x3c![CDATA[`},
> > +-              {"]]>", `]]\x3e`},
> > ++              {"</script>", `\u003c\/script\u003e`},
> > ++              {"<![CDATA[", `\u003c![CDATA[`},
> > ++              {"]]>", `]]\u003e`},
> > +               //
> https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
> > +               //   "The text in style, script, title, and textarea
> elements
> > +               //   must not have an escaping text span start that is
> not
> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
> > +               // allow regular text content to be interpreted as script
> > +               // allowing script execution via a combination of a JS
> string
> > +               // injection followed by an HTML text injection.
> > +-              {"<!--", `\x3c!--`},
> > +-              {"-->", `--\x3e`},
> > ++              {"<!--", `\u003c!--`},
> > ++              {"-->", `--\u003e`},
> > +               // From
> https://code.google.com/p/doctype/wiki/ArticleUtf7
> > +               {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
> > +-
> `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
> > ++
> `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
> > +               },
> > +               // Invalid UTF-8 sequence
> > +               {"foo\xA0bar", "foo\xA0bar"},
> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
> > +       }{
> > +               {"", `(?:)`},
> > +               {"foo", `foo`},
> > +-              {"\u0000", `\0`},
> > ++              {"\u0000", `\u0000`},
> > +               {"\t", `\t`},
> > +               {"\n", `\n`},
> > +               {"\r", `\r`},
> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
> > +               {"\\n", `\\n`},
> > +               {"foo\r\nbar", `foo\r\nbar`},
> > +               // Preserve attribute boundaries.
> > +-              {`"`, `\x22`},
> > +-              {`'`, `\x27`},
> > ++              {`"`, `\u0022`},
> > ++              {`'`, `\u0027`},
> > +               // Allow embedding in HTML without further escaping.
> > +-              {`&amp;`, `\x26amp;`},
> > ++              {`&amp;`, `\u0026amp;`},
> > +               // Prevent breaking out of text node and element
> boundaries.
> > +-              {"</script>", `\x3c\/script\x3e`},
> > +-              {"<![CDATA[", `\x3c!\[CDATA\[`},
> > +-              {"]]>", `\]\]\x3e`},
> > ++              {"</script>", `\u003c\/script\u003e`},
> > ++              {"<![CDATA[", `\u003c!\[CDATA\[`},
> > ++              {"]]>", `\]\]\u003e`},
> > +               // Escaping text spans.
> > +-              {"<!--", `\x3c!\-\-`},
> > +-              {"-->", `\-\-\x3e`},
> > ++              {"<!--", `\u003c!\-\-`},
> > ++              {"-->", `\-\-\u003e`},
> > +               {"*", `\*`},
> > +-              {"+", `\x2b`},
> > ++              {"+", `\u002b`},
> > +               {"?", `\?`},
> > +               {"[](){}", `\[\]\(\)\{\}`},
> > +               {"$foo|x.y", `\$foo\|x\.y`},
> > +@@ -284,27 +284,27 @@ func
> TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
> > +               {
> > +                       "jsStrEscaper",
> > +                       jsStrEscaper,
> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> > +-                              ` !\x22#$%\x26\x27()*\x2b,-.\/` +
> > +-                              `0123456789:;\x3c=\x3e?` +
> > ++
> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
> > ++
> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> > ++
> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> > ++                              ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
> > ++                              `0123456789:;\u003c=\u003e?` +
> > +                               `@ABCDEFGHIJKLMNO` +
> > +                               `PQRSTUVWXYZ[\\]^_` +
> > +                               "`abcdefghijklmno" +
> > +-                              "pqrstuvwxyz{|}~\x7f" +
> > ++                              "pqrstuvwxyz{|}~\u007f" +
> > +
>  "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
> > +               },
> > +               {
> > +                       "jsRegexpEscaper",
> > +                       jsRegexpEscaper,
> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
> > +-                              ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
> > +-                              `0123456789:;\x3c=\x3e\?` +
> > ++
> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
> > ++
> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
> > ++
> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
> > ++                              `
> !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
> > ++                              `0123456789:;\u003c=\u003e\?` +
> > +                               `@ABCDEFGHIJKLMNO` +
> > +                               `PQRSTUVWXYZ\[\\\]\^_` +
> > +                               "`abcdefghijklmno" +
> > +diff --git a/src/html/template/template_test.go
> b/src/html/template/template_test.go
> > +index 13e6ba4..86bd4db 100644
> > +--- a/src/html/template/template_test.go
> > ++++ b/src/html/template/template_test.go
> > +@@ -6,6 +6,7 @@ package template_test
> > +
> > + import (
> > +       "bytes"
> > ++      "encoding/json"
> > +       . "html/template"
> > +       "strings"
> > +       "testing"
> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
> > +       c.mustExecute(c.root, nil, "12.34 7.5")
> > + }
> > +
> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t
> *testing.T) {
> > ++      // See #33671 and #37634 for more context on this.
> > ++      tests := []struct{ name, in string }{
> > ++              {"empty", ""},
> > ++              {"invalid", string(rune(-1))},
> > ++              {"null", "\u0000"},
> > ++              {"unit separator", "\u001F"},
> > ++              {"tab", "\t"},
> > ++              {"gt and lt", "<>"},
> > ++              {"quotes", `'"`},
> > ++              {"ASCII letters", "ASCII letters"},
> > ++              {"Unicode", "ʕ⊙ϖ⊙ʔ"},
> > ++              {"Pizza", "
Shubham Kulkarni Oct. 3, 2023, 1:48 p.m. UTC | #3
Hi Steve,

I have recreated the patch from scratch for dunfell and sent it as v4 -
https://lists.openembedded.org/g/openembedded-core/message/188639
The issue in v3 might be due to whitespaces. But v4 should be good.

Thanks,
Shubham Kulkani

On Sat, Sep 30, 2023 at 9:11 PM Shubham Kulkarni via lists.openembedded.org
<skulkarni=mvista.com@lists.openembedded.org> wrote:

> Apologies Steve,
>
> I will look into the issue and send a new patch for Dunfell. It worked for
> me on my machine. Maybe something I missed.
>
> Thanks,
> Shubham Kulkarni
>
> On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote:
>
>> Sorry, this patch doesn't apply:
>>
>> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
>> error: corrupt patch at line 478
>> error: could not build fake ancestor
>> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318
>>
>> Steve
>>
>> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via
>> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org>
>> wrote:
>> >
>> > From: Shubham Kulkarni <skulkarni@mvista.com>
>> >
>> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
>> >
>> > Upstream Link -
>> > CVE-2023-24538:
>> https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
>> > CVE-2023-39318:
>> https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
>> >
>> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>> > ---
>> >  meta/recipes-devtools/go/go-1.14.inc          |   5 +-
>> >  .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
>> >  .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
>> >  .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
>> >  .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
>> >  .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
>> >  ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
>> >  .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
>> >  8 files changed, 2124 insertions(+), 20 deletions(-)
>> >  create mode 100644
>> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
>> >  create mode 100644
>> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
>> >  create mode 100644
>> meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
>> >  rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch =>
>> CVE-2023-24538_6.patch} (53%)
>> >
>> > diff --git a/meta/recipes-devtools/go/go-1.14.inc
>> b/meta/recipes-devtools/go/go-1.14.inc
>> > index be63f64825..091b778de8 100644
>> > --- a/meta/recipes-devtools/go/go-1.14.inc
>> > +++ b/meta/recipes-devtools/go/go-1.14.inc
>> > @@ -60,7 +60,10 @@ SRC_URI += "\
>> >      file://CVE-2023-24534.patch \
>> >      file://CVE-2023-24538-1.patch \
>> >      file://CVE-2023-24538-2.patch \
>> > -    file://CVE-2023-24538-3.patch \
>> > +    file://CVE-2023-24538_3.patch \
>> > +    file://CVE-2023-24538_4.patch \
>> > +    file://CVE-2023-24538_5.patch \
>> > +    file://CVE-2023-24538_6.patch \
>> >      file://CVE-2023-24539.patch \
>> >      file://CVE-2023-24540.patch \
>> >      file://CVE-2023-29405-1.patch \
>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>> > index eda26e5ff6..23c5075e41 100644
>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>> > @@ -1,7 +1,7 @@
>> >  From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
>> >  From: Brad Fitzpatrick <bradfitz@golang.org>
>> >  Date: Mon, 2 Aug 2021 14:55:51 -0700
>> > -Subject: [PATCH 1/3] net/netip: add new IP address package
>> > +Subject: [PATCH 1/6] net/netip: add new IP address package
>> >
>> >  Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
>> >  Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
>> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
>> >
>> >  Dependency Patch #1
>> >
>> > -Upstream-Status: Backport [
>> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
>> ]
>> > +Upstream-Status: Backport from
>> https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
>> >  CVE: CVE-2023-24538
>> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>> >  ---
>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>> b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>> > index 5036f2890b..3840617a32 100644
>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>> > @@ -1,7 +1,7 @@
>> >  From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
>> >  From: empijei <robclap8@gmail.com>
>> >  Date: Fri, 27 Mar 2020 19:27:55 +0100
>> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode
>> escapes
>> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode
>> escapes
>> >   for JSON compatibility
>> >  MIME-Version: 1.0
>> >  Content-Type: text/plain; charset=UTF-8
>> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from
>> https://github.com/golang/go/commit/d4d298040d072
>> >  CVE: CVE-2023-24538
>> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>> >  ---
>> > - src/html/template/js.go    | 70
>> +++++++++++++++++++++++++++-------------------
>> > - src/text/template/funcs.go |  8 +++---
>> > - 2 files changed, 46 insertions(+), 32 deletions(-)
>> > + src/html/template/content_test.go  | 70
>> +++++++++++++++++++-------------------
>> > + src/html/template/escape_test.go   |  6 ++--
>> > + src/html/template/example_test.go  |  6 ++--
>> > + src/html/template/js.go            | 70
>> +++++++++++++++++++++++---------------
>> > + src/html/template/js_test.go       | 68
>> ++++++++++++++++++------------------
>> > + src/html/template/template_test.go | 39 +++++++++++++++++++++
>> > + src/text/template/exec_test.go     |  6 ++--
>> > + src/text/template/funcs.go         |  8 ++---
>> > + 8 files changed, 163 insertions(+), 110 deletions(-)
>> >
>> > +diff --git a/src/html/template/content_test.go
>> b/src/html/template/content_test.go
>> > +index 72d56f5..bd86527 100644
>> > +--- a/src/html/template/content_test.go
>> > ++++ b/src/html/template/content_test.go
>> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
>> > +               HTML(`Hello, <b>World</b> &amp;tc!`),
>> > +               HTMLAttr(` dir="ltr"`),
>> > +               JS(`c && alert("Hello, World!");`),
>> > +-              JSStr(`Hello, World & O'Reilly\x21`),
>> > ++              JSStr(`Hello, World & O'Reilly\u0021`),
>> > +               URL(`greeting=H%69,&addressee=(World)`),
>> > +               Srcset(`greeting=H%69,&addressee=(World) 2x,
>> https://golang.org/favicon.ico 500.5w`),
>> > +               URL(`,foo/,`),
>> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               `Hello, <b>World</b> &amp;tc!`,
>> > +                               ` dir=&#34;ltr&#34;`,
>> > +                               `c &amp;&amp; alert(&#34;Hello,
>> World!&#34;);`,
>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>> > +                               `greeting=H%69,&amp;addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w`,
>> > +                               `,foo/,`,
>> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               `Hello,&#32;World&#32;&amp;tc!`,
>> > +                               `&#32;dir&#61;&#34;ltr&#34;`,
>> > +
>>  `c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
>> > +-
>> `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
>> > ++
>> `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
>> > +
>>  `greeting&#61;H%69,&amp;addressee&#61;(World)`,
>> > +
>>  `greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;
>> https://golang.org/favicon.ico&#32;500.5w`
>> <https://golang.org/favicon.ico&#32;500.5w>,
>> > +                               `,foo/,`,
>> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               `Hello, World &amp;tc!`,
>> > +                               ` dir=&#34;ltr&#34;`,
>> > +                               `c &amp;&amp; alert(&#34;Hello,
>> World!&#34;);`,
>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>> > +                               `greeting=H%69,&amp;addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w`,
>> > +                               `,foo/,`,
>> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               `Hello, &lt;b&gt;World&lt;/b&gt;
>> &amp;tc!`,
>> > +                               ` dir=&#34;ltr&#34;`,
>> > +                               `c &amp;&amp; alert(&#34;Hello,
>> World!&#34;);`,
>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>> > +                               `greeting=H%69,&amp;addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w`,
>> > +                               `,foo/,`,
>> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               // Not escaped.
>> > +                               `c && alert("Hello, World!");`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `"Hello, World & O'Reilly\x21"`,
>> > ++                              `"Hello, World & O'Reilly\u0021"`,
>> > +
>>  `"greeting=H%69,\u0026addressee=(World)"`,
>> > +                               `"greeting=H%69,\u0026addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w"`,
>> > +                               `",foo/,"`,
>> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               // Not JS escaped but HTML escaped.
>> > +                               `c &amp;&amp; alert(&#34;Hello,
>> World!&#34;);`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `&#34;Hello, World &amp;
>> O&#39;Reilly\x21&#34;`,
>> > ++                              `&#34;Hello, World &amp;
>> O&#39;Reilly\u0021&#34;`,
>> > +
>>  `&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
>> > +
>>  `&#34;greeting=H%69,\u0026addressee=(World) 2x,
>> https://golang.org/favicon.ico 500.5w&#34;`,
>> > +                               `&#34;,foo/,&#34;`,
>> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
>> > +               {
>> > +                       `<script>alert("{{.}}")</script>`,
>> > +                       []string{
>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
>> \x26bar;`,
>> > +-                              `a[href =~ \x22\/\/example.com
>> \x22]#foo`,
>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
>> \x26amp;tc!`,
>> > +-                              ` dir=\x22ltr\x22`,
>> > +-                              `c \x26\x26 alert(\x22Hello,
>> World!\x22);`,
>> > ++                              `\u003cb\u003e \u0022foo%\u0022
>> O\u0027Reilly \u0026bar;`,
>> > ++                              `a[href =~ \u0022\/\/example.com
>> \u0022]#foo`,
>> > ++                              `Hello,
>> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>> > ++                              ` dir=\u0022ltr\u0022`,
>> > ++                              `c \u0026\u0026 alert(\u0022Hello,
>> World!\u0022);`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>> > +-                              `greeting=H%69,\x26addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > ++                              `Hello, World \u0026
>> O\u0027Reilly\u0021`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > +                               `,foo\/,`,
>> > +                       },
>> > +               },
>> > +               {
>> > +                       `<script
>> type="text/javascript">alert("{{.}}")</script>`,
>> > +                       []string{
>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
>> \x26bar;`,
>> > +-                              `a[href =~ \x22\/\/example.com
>> \x22]#foo`,
>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
>> \x26amp;tc!`,
>> > +-                              ` dir=\x22ltr\x22`,
>> > +-                              `c \x26\x26 alert(\x22Hello,
>> World!\x22);`,
>> > ++                              `\u003cb\u003e \u0022foo%\u0022
>> O\u0027Reilly \u0026bar;`,
>> > ++                              `a[href =~ \u0022\/\/example.com
>> \u0022]#foo`,
>> > ++                              `Hello,
>> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>> > ++                              ` dir=\u0022ltr\u0022`,
>> > ++                              `c \u0026\u0026 alert(\u0022Hello,
>> World!\u0022);`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>> > +-                              `greeting=H%69,\x26addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > ++                              `Hello, World \u0026
>> O\u0027Reilly\u0021`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > +                               `,foo\/,`,
>> > +                       },
>> > +               },
>> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               // Not escaped.
>> > +                               `c && alert("Hello, World!");`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `"Hello, World & O'Reilly\x21"`,
>> > ++                              `"Hello, World & O'Reilly\u0021"`,
>> > +
>>  `"greeting=H%69,\u0026addressee=(World)"`,
>> > +                               `"greeting=H%69,\u0026addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w"`,
>> > +                               `",foo/,"`,
>> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
>> > +                               `Hello, <b>World</b> &amp;tc!`,
>> > +                               ` dir=&#34;ltr&#34;`,
>> > +                               `c &amp;&amp; alert(&#34;Hello,
>> World!&#34;);`,
>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>> > +                               `greeting=H%69,&amp;addressee=(World)
>> 2x, https://golang.org/favicon.ico 500.5w`,
>> > +                               `,foo/,`,
>> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
>> > +               {
>> > +                       `<button onclick='alert("{{.}}")'>`,
>> > +                       []string{
>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly
>> \x26bar;`,
>> > +-                              `a[href =~ \x22\/\/example.com
>> \x22]#foo`,
>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e
>> \x26amp;tc!`,
>> > +-                              ` dir=\x22ltr\x22`,
>> > +-                              `c \x26\x26 alert(\x22Hello,
>> World!\x22);`,
>> > ++                              `\u003cb\u003e \u0022foo%\u0022
>> O\u0027Reilly \u0026bar;`,
>> > ++                              `a[href =~ \u0022\/\/example.com
>> \u0022]#foo`,
>> > ++                              `Hello,
>> \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>> > ++                              ` dir=\u0022ltr\u0022`,
>> > ++                              `c \u0026\u0026 alert(\u0022Hello,
>> World!\u0022);`,
>> > +                               // Escape sequence not over-escaped.
>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>> > +-                              `greeting=H%69,\x26addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > ++                              `Hello, World \u0026
>> O\u0027Reilly\u0021`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>> > ++                              `greeting=H%69,\u0026addressee=(World)
>> 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>> > +                               `,foo\/,`,
>> > +                       },
>> > +               },
>> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
>> > +
>>  `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
>> > +                               `%20dir%3d%22ltr%22`,
>> > +
>>  `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
>> > +-
>> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
>> > ++
>> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
>> > +                               // Quotes and parens are escaped but
>> %69 is not over-escaped. HTML escaping is done.
>> > +
>>  `greeting=H%69,&amp;addressee=%28World%29`,
>> > +
>>  `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
>> 2fgolang.org%2ffavicon.ico%20500.5w`,
>> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
>> > +
>>  `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
>> > +                               `%20dir%3d%22ltr%22`,
>> > +
>>  `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
>> > +-
>> `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
>> > ++
>> `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
>> > +                               // Quotes and parens are escaped but
>> %69 is not over-escaped. HTML escaping is not done.
>> > +                               `greeting=H%69,&addressee=%28World%29`,
>> > +
>>  `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%
>> 2fgolang.org%2ffavicon.ico%20500.5w`,
>> > +diff --git a/src/html/template/escape_test.go
>> b/src/html/template/escape_test.go
>> > +index e72a9ba..c709660 100644
>> > +--- a/src/html/template/escape_test.go
>> > ++++ b/src/html/template/escape_test.go
>> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
>> > +               {
>> > +                       "jsStr",
>> > +                       "<button onclick='alert(&quot;{{.H}}&quot;)'>",
>> > +-                      `<button
>> onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
>> > ++                      `<button
>> onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
>> > +               },
>> > +               {
>> > +                       "badMarshaler",
>> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
>> > +               {
>> > +                       "jsRe",
>> > +                       `<button
>> onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
>> > +-                      `<button
>> onclick='alert(/foo\x2bbar/.test(""))'>`,
>> > ++                      `<button
>> onclick='alert(/foo\u002bbar/.test(""))'>`,
>> > +               },
>> > +               {
>> > +                       "jsReBlank",
>> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
>> > +                               "main":   `<button
>> onclick="title='{{template "helper"}}'; ...">{{template
>> "helper"}}</button>`,
>> > +                               "helper": `{{11}} of {{"<100>"}}`,
>> > +                       },
>> > +-                      `<button onclick="title='11 of \x3c100\x3e';
>> ...">11 of &lt;100&gt;</button>`,
>> > ++                      `<button onclick="title='11 of
>> \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
>> > +               },
>> > +               // A non-recursive template that ends in a different
>> context.
>> > +               // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
>> > +diff --git a/src/html/template/example_test.go
>> b/src/html/template/example_test.go
>> > +index 9d965f1..6cf936f 100644
>> > +--- a/src/html/template/example_test.go
>> > ++++ b/src/html/template/example_test.go
>> > +@@ -116,9 +116,9 @@ func Example_escape() {
>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &
>> lt;tasty@example.com&gt;
>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &
>> lt;tasty@example.com&gt;
>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#
>> 34;32&lt;tasty@example.com&gt;
>> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
>> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
>> > +-      // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
>> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
>> \u003E
>> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com
>> \u003E
>> > ++      // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com
>> \u003E
>> > +       // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
>> > +
>> > + }
>> >  diff --git a/src/html/template/js.go b/src/html/template/js.go
>> >  index 0e91458..ea9c183 100644
>> >  --- a/src/html/template/js.go
>> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
>> >         '?':  `\?`,
>> >         '[':  `\[`,
>> >         '\\': `\\`,
>> > +diff --git a/src/html/template/js_test.go
>> b/src/html/template/js_test.go
>> > +index 075adaa..d7ee47b 100644
>> > +--- a/src/html/template/js_test.go
>> > ++++ b/src/html/template/js_test.go
>> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
>> > +               {"foo", `"foo"`},
>> > +               // Newlines.
>> > +               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
>> > +-              // "\v" == "v" on IE 6 so use "\x0b" instead.
>> > ++              // "\v" == "v" on IE 6 so use "\u000b" instead.
>> > +               {"\t\x0b", `"\t\u000b"`},
>> > +               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
>> > +               {[]interface{}{}, "[]"},
>> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
>> > +       }{
>> > +               {"", ``},
>> > +               {"foo", `foo`},
>> > +-              {"\u0000", `\0`},
>> > ++              {"\u0000", `\u0000`},
>> > +               {"\t", `\t`},
>> > +               {"\n", `\n`},
>> > +               {"\r", `\r`},
>> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
>> > +               {"\\n", `\\n`},
>> > +               {"foo\r\nbar", `foo\r\nbar`},
>> > +               // Preserve attribute boundaries.
>> > +-              {`"`, `\x22`},
>> > +-              {`'`, `\x27`},
>> > ++              {`"`, `\u0022`},
>> > ++              {`'`, `\u0027`},
>> > +               // Allow embedding in HTML without further escaping.
>> > +-              {`&amp;`, `\x26amp;`},
>> > ++              {`&amp;`, `\u0026amp;`},
>> > +               // Prevent breaking out of text node and element
>> boundaries.
>> > +-              {"</script>", `\x3c\/script\x3e`},
>> > +-              {"<![CDATA[", `\x3c![CDATA[`},
>> > +-              {"]]>", `]]\x3e`},
>> > ++              {"</script>", `\u003c\/script\u003e`},
>> > ++              {"<![CDATA[", `\u003c![CDATA[`},
>> > ++              {"]]>", `]]\u003e`},
>> > +               //
>> https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
>> > +               //   "The text in style, script, title, and textarea
>> elements
>> > +               //   must not have an escaping text span start that is
>> not
>> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
>> > +               // allow regular text content to be interpreted as
>> script
>> > +               // allowing script execution via a combination of a JS
>> string
>> > +               // injection followed by an HTML text injection.
>> > +-              {"<!--", `\x3c!--`},
>> > +-              {"-->", `--\x3e`},
>> > ++              {"<!--", `\u003c!--`},
>> > ++              {"-->", `--\u003e`},
>> > +               // From
>> https://code.google.com/p/doctype/wiki/ArticleUtf7
>> > +               {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
>> > +-
>> `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
>> > ++
>> `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
>> > +               },
>> > +               // Invalid UTF-8 sequence
>> > +               {"foo\xA0bar", "foo\xA0bar"},
>> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
>> > +       }{
>> > +               {"", `(?:)`},
>> > +               {"foo", `foo`},
>> > +-              {"\u0000", `\0`},
>> > ++              {"\u0000", `\u0000`},
>> > +               {"\t", `\t`},
>> > +               {"\n", `\n`},
>> > +               {"\r", `\r`},
>> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
>> > +               {"\\n", `\\n`},
>> > +               {"foo\r\nbar", `foo\r\nbar`},
>> > +               // Preserve attribute boundaries.
>> > +-              {`"`, `\x22`},
>> > +-              {`'`, `\x27`},
>> > ++              {`"`, `\u0022`},
>> > ++              {`'`, `\u0027`},
>> > +               // Allow embedding in HTML without further escaping.
>> > +-              {`&amp;`, `\x26amp;`},
>> > ++              {`&amp;`, `\u0026amp;`},
>> > +               // Prevent breaking out of text node and element
>> boundaries.
>> > +-              {"</script>", `\x3c\/script\x3e`},
>> > +-              {"<![CDATA[", `\x3c!\[CDATA\[`},
>> > +-              {"]]>", `\]\]\x3e`},
>> > ++              {"</script>", `\u003c\/script\u003e`},
>> > ++              {"<![CDATA[", `\u003c!\[CDATA\[`},
>> > ++              {"]]>", `\]\]\u003e`},
>> > +               // Escaping text spans.
>> > +-              {"<!--", `\x3c!\-\-`},
>> > +-              {"-->", `\-\-\x3e`},
>> > ++              {"<!--", `\u003c!\-\-`},
>> > ++              {"-->", `\-\-\u003e`},
>> > +               {"*", `\*`},
>> > +-              {"+", `\x2b`},
>> > ++              {"+", `\u002b`},
>> > +               {"?", `\?`},
>> > +               {"[](){}", `\[\]\(\)\{\}`},
>> > +               {"$foo|x.y", `\$foo\|x\.y`},
>> > +@@ -284,27 +284,27 @@ func
>> TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
>> > +               {
>> > +                       "jsStrEscaper",
>> > +                       jsStrEscaper,
>> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
>> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
>> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
>> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
>> > +-                              ` !\x22#$%\x26\x27()*\x2b,-.\/` +
>> > +-                              `0123456789:;\x3c=\x3e?` +
>> > ++
>> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
>> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
>> > ++
>> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
>> > ++
>> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
>> > ++                              ` !\u0022#$%\u0026\u0027()*\u002b,-.\/`
>> +
>> > ++                              `0123456789:;\u003c=\u003e?` +
>> > +                               `@ABCDEFGHIJKLMNO` +
>> > +                               `PQRSTUVWXYZ[\\]^_` +
>> > +                               "`abcdefghijklmno" +
>> > +-                              "pqrstuvwxyz{|}~\x7f" +
>> > ++                              "pqrstuvwxyz{|}~\u007f" +
>> > +
>>  "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
>> > +               },
>> > +               {
>> > +                       "jsRegexpEscaper",
>> > +                       jsRegexpEscaper,
>> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
>> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
>> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
>> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
>> > +-                              ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
>> > +-                              `0123456789:;\x3c=\x3e\?` +
>> > ++
>> `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
>> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
>> > ++
>> `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
>> > ++
>> `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
>> > ++                              `
>> !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
>> > ++                              `0123456789:;\u003c=\u003e\?` +
>> > +                               `@ABCDEFGHIJKLMNO` +
>> > +                               `PQRSTUVWXYZ\[\\\]\^_` +
>> > +                               "`abcdefghijklmno" +
>> > +diff --git a/src/html/template/template_test.go
>> b/src/html/template/template_test.go
>> > +index 13e6ba4..86bd4db 100644
>> > +--- a/src/html/template/template_test.go
>> > ++++ b/src/html/template/template_test.go
>> > +@@ -6,6 +6,7 @@ package template_test
>> > +
>> > + import (
>> > +       "bytes"
>> > ++      "encoding/json"
>> > +       . "html/template"
>> > +       "strings"
>> > +       "testing"
>> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
>> > +       c.mustExecute(c.root, nil, "12.34 7.5")
>> > + }
>> > +
>> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t
>> *testing.T) {
>> > ++      // See #33671 and #37634 for more context on this.
>> > ++      tests := []struct{ name, in string }{
>> > ++              {"empty", ""},
>> > ++              {"invalid", string(rune(-1))},
>> > ++              {"null", "\u0000"},
>> > ++              {"unit separator", "\u001F"},
>> > ++              {"tab", "\t"},
>> > ++              {"gt and lt", "<>"},
>> > ++              {"quotes", `'"`},
>> > ++              {"ASCII letters", "ASCII letters"},
>> > ++              {"Unicode", "ʕ⊙ϖ⊙ʔ"},
>> > ++              {"Pizza", "
Steve Sakoman Oct. 3, 2023, 4:33 p.m. UTC | #4
On Tue, Oct 3, 2023 at 3:49 AM Shubham Kulkarni <skulkarni@mvista.com> wrote:
>
> Hi Steve,
>
> I have recreated the patch from scratch for dunfell and sent it as v4 - https://lists.openembedded.org/g/openembedded-core/message/188639
> The issue in v3 might be due to whitespaces. But v4 should be good.

Sorry, it still fails:

Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
error: corrupt patch at line 1074
error: could not build fake ancestor

To debug, try downloading your patch from the list and then applying
it to the dunfell HEAD.

Alternatively you could download from patchworks:
https://patchwork.yoctoproject.org/project/oe-core/patch/20231003134246.24630-1-skulkarni@mvista.com/

Steve

> On Sat, Sep 30, 2023 at 9:11 PM Shubham Kulkarni via lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org> wrote:
>>
>> Apologies Steve,
>>
>> I will look into the issue and send a new patch for Dunfell. It worked for me on my machine. Maybe something I missed.
>>
>> Thanks,
>> Shubham Kulkarni
>>
>> On Sat, Sep 30, 2023 at 8:02 AM Steve Sakoman <steve@sakoman.com> wrote:
>>>
>>> Sorry, this patch doesn't apply:
>>>
>>> Applying: go: Update fix for CVE-2023-24538 & CVE-2023-39318
>>> error: corrupt patch at line 478
>>> error: could not build fake ancestor
>>> Patch failed at 0001 go: Update fix for CVE-2023-24538 & CVE-2023-39318
>>>
>>> Steve
>>>
>>> On Fri, Sep 29, 2023 at 9:21 AM Shubham Kulkarni via
>>> lists.openembedded.org <skulkarni=mvista.com@lists.openembedded.org>
>>> wrote:
>>> >
>>> > From: Shubham Kulkarni <skulkarni@mvista.com>
>>> >
>>> > Add missing files in fix for CVE-2023-24538 & CVE-2023-39318
>>> >
>>> > Upstream Link -
>>> > CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b
>>> > CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c
>>> >
>>> > Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>>> > ---
>>> >  meta/recipes-devtools/go/go-1.14.inc          |   5 +-
>>> >  .../go/go-1.14/CVE-2023-24538-1.patch         |   4 +-
>>> >  .../go/go-1.14/CVE-2023-24538-2.patch         | 447 ++++++++++++-
>>> >  .../go/go-1.14/CVE-2023-24538_3.patch         | 393 ++++++++++++
>>> >  .../go/go-1.14/CVE-2023-24538_4.patch         | 497 +++++++++++++++
>>> >  .../go/go-1.14/CVE-2023-24538_5.patch         | 585 ++++++++++++++++++
>>> >  ...3-24538-3.patch => CVE-2023-24538_6.patch} | 175 +++++-
>>> >  .../go/go-1.14/CVE-2023-39318.patch           |  38 +-
>>> >  8 files changed, 2124 insertions(+), 20 deletions(-)
>>> >  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_3.patch
>>> >  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_4.patch
>>> >  create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538_5.patch
>>> >  rename meta/recipes-devtools/go/go-1.14/{CVE-2023-24538-3.patch => CVE-2023-24538_6.patch} (53%)
>>> >
>>> > diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
>>> > index be63f64825..091b778de8 100644
>>> > --- a/meta/recipes-devtools/go/go-1.14.inc
>>> > +++ b/meta/recipes-devtools/go/go-1.14.inc
>>> > @@ -60,7 +60,10 @@ SRC_URI += "\
>>> >      file://CVE-2023-24534.patch \
>>> >      file://CVE-2023-24538-1.patch \
>>> >      file://CVE-2023-24538-2.patch \
>>> > -    file://CVE-2023-24538-3.patch \
>>> > +    file://CVE-2023-24538_3.patch \
>>> > +    file://CVE-2023-24538_4.patch \
>>> > +    file://CVE-2023-24538_5.patch \
>>> > +    file://CVE-2023-24538_6.patch \
>>> >      file://CVE-2023-24539.patch \
>>> >      file://CVE-2023-24540.patch \
>>> >      file://CVE-2023-29405-1.patch \
>>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>>> > index eda26e5ff6..23c5075e41 100644
>>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
>>> > @@ -1,7 +1,7 @@
>>> >  From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
>>> >  From: Brad Fitzpatrick <bradfitz@golang.org>
>>> >  Date: Mon, 2 Aug 2021 14:55:51 -0700
>>> > -Subject: [PATCH 1/3] net/netip: add new IP address package
>>> > +Subject: [PATCH 1/6] net/netip: add new IP address package
>>> >
>>> >  Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
>>> >  Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
>>> > @@ -31,7 +31,7 @@ Trust: Brad Fitzpatrick <bradfitz@golang.org>
>>> >
>>> >  Dependency Patch #1
>>> >
>>> > -Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
>>> > +Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
>>> >  CVE: CVE-2023-24538
>>> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>>> >  ---
>>> > diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>>> > index 5036f2890b..3840617a32 100644
>>> > --- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>>> > +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
>>> > @@ -1,7 +1,7 @@
>>> >  From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
>>> >  From: empijei <robclap8@gmail.com>
>>> >  Date: Fri, 27 Mar 2020 19:27:55 +0100
>>> > -Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
>>> > +Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
>>> >   for JSON compatibility
>>> >  MIME-Version: 1.0
>>> >  Content-Type: text/plain; charset=UTF-8
>>> > @@ -31,10 +31,238 @@ Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072
>>> >  CVE: CVE-2023-24538
>>> >  Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
>>> >  ---
>>> > - src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
>>> > - src/text/template/funcs.go |  8 +++---
>>> > - 2 files changed, 46 insertions(+), 32 deletions(-)
>>> > + src/html/template/content_test.go  | 70 +++++++++++++++++++-------------------
>>> > + src/html/template/escape_test.go   |  6 ++--
>>> > + src/html/template/example_test.go  |  6 ++--
>>> > + src/html/template/js.go            | 70 +++++++++++++++++++++++---------------
>>> > + src/html/template/js_test.go       | 68 ++++++++++++++++++------------------
>>> > + src/html/template/template_test.go | 39 +++++++++++++++++++++
>>> > + src/text/template/exec_test.go     |  6 ++--
>>> > + src/text/template/funcs.go         |  8 ++---
>>> > + 8 files changed, 163 insertions(+), 110 deletions(-)
>>> >
>>> > +diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
>>> > +index 72d56f5..bd86527 100644
>>> > +--- a/src/html/template/content_test.go
>>> > ++++ b/src/html/template/content_test.go
>>> > +@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
>>> > +               HTML(`Hello, <b>World</b> &amp;tc!`),
>>> > +               HTMLAttr(` dir="ltr"`),
>>> > +               JS(`c && alert("Hello, World!");`),
>>> > +-              JSStr(`Hello, World & O'Reilly\x21`),
>>> > ++              JSStr(`Hello, World & O'Reilly\u0021`),
>>> > +               URL(`greeting=H%69,&addressee=(World)`),
>>> > +               Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
>>> > +               URL(`,foo/,`),
>>> > +@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello, <b>World</b> &amp;tc!`,
>>> > +                               ` dir=&#34;ltr&#34;`,
>>> > +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
>>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>>> > +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
>>> > +                               `,foo/,`,
>>> > +@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello,&#32;World&#32;&amp;tc!`,
>>> > +                               `&#32;dir&#61;&#34;ltr&#34;`,
>>> > +                               `c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
>>> > +-                              `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
>>> > ++                              `Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
>>> > +                               `greeting&#61;H%69,&amp;addressee&#61;(World)`,
>>> > +                               `greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
>>> > +                               `,foo/,`,
>>> > +@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello, World &amp;tc!`,
>>> > +                               ` dir=&#34;ltr&#34;`,
>>> > +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
>>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>>> > +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
>>> > +                               `,foo/,`,
>>> > +@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
>>> > +                               ` dir=&#34;ltr&#34;`,
>>> > +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
>>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>>> > +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
>>> > +                               `,foo/,`,
>>> > +@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               // Not escaped.
>>> > +                               `c && alert("Hello, World!");`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `"Hello, World & O'Reilly\x21"`,
>>> > ++                              `"Hello, World & O'Reilly\u0021"`,
>>> > +                               `"greeting=H%69,\u0026addressee=(World)"`,
>>> > +                               `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
>>> > +                               `",foo/,"`,
>>> > +@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               // Not JS escaped but HTML escaped.
>>> > +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
>>> > ++                              `&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
>>> > +                               `&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
>>> > +                               `&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
>>> > +                               `&#34;,foo/,&#34;`,
>>> > +@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
>>> > +               {
>>> > +                       `<script>alert("{{.}}")</script>`,
>>> > +                       []string{
>>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
>>> > +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
>>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
>>> > +-                              ` dir=\x22ltr\x22`,
>>> > +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
>>> > ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
>>> > ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
>>> > ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>>> > ++                              ` dir=\u0022ltr\u0022`,
>>> > ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>>> > +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > +                               `,foo\/,`,
>>> > +                       },
>>> > +               },
>>> > +               {
>>> > +                       `<script type="text/javascript">alert("{{.}}")</script>`,
>>> > +                       []string{
>>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
>>> > +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
>>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
>>> > +-                              ` dir=\x22ltr\x22`,
>>> > +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
>>> > ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
>>> > ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
>>> > ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>>> > ++                              ` dir=\u0022ltr\u0022`,
>>> > ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>>> > +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > +                               `,foo\/,`,
>>> > +                       },
>>> > +               },
>>> > +@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               // Not escaped.
>>> > +                               `c && alert("Hello, World!");`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `"Hello, World & O'Reilly\x21"`,
>>> > ++                              `"Hello, World & O'Reilly\u0021"`,
>>> > +                               `"greeting=H%69,\u0026addressee=(World)"`,
>>> > +                               `"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
>>> > +                               `",foo/,"`,
>>> > +@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello, <b>World</b> &amp;tc!`,
>>> > +                               ` dir=&#34;ltr&#34;`,
>>> > +                               `c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
>>> > +-                              `Hello, World &amp; O&#39;Reilly\x21`,
>>> > ++                              `Hello, World &amp; O&#39;Reilly\u0021`,
>>> > +                               `greeting=H%69,&amp;addressee=(World)`,
>>> > +                               `greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
>>> > +                               `,foo/,`,
>>> > +@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
>>> > +               {
>>> > +                       `<button onclick='alert("{{.}}")'>`,
>>> > +                       []string{
>>> > +-                              `\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
>>> > +-                              `a[href =~ \x22\/\/example.com\x22]#foo`,
>>> > +-                              `Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
>>> > +-                              ` dir=\x22ltr\x22`,
>>> > +-                              `c \x26\x26 alert(\x22Hello, World!\x22);`,
>>> > ++                              `\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
>>> > ++                              `a[href =~ \u0022\/\/example.com\u0022]#foo`,
>>> > ++                              `Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
>>> > ++                              ` dir=\u0022ltr\u0022`,
>>> > ++                              `c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
>>> > +                               // Escape sequence not over-escaped.
>>> > +-                              `Hello, World \x26 O\x27Reilly\x21`,
>>> > +-                              `greeting=H%69,\x26addressee=(World)`,
>>> > +-                              `greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > ++                              `Hello, World \u0026 O\u0027Reilly\u0021`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World)`,
>>> > ++                              `greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
>>> > +                               `,foo\/,`,
>>> > +                       },
>>> > +               },
>>> > +@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
>>> > +                               `%20dir%3d%22ltr%22`,
>>> > +                               `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
>>> > +-                              `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
>>> > ++                              `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
>>> > +                               // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
>>> > +                               `greeting=H%69,&amp;addressee=%28World%29`,
>>> > +                               `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
>>> > +@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
>>> > +                               `Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
>>> > +                               `%20dir%3d%22ltr%22`,
>>> > +                               `c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
>>> > +-                              `Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
>>> > ++                              `Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
>>> > +                               // Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
>>> > +                               `greeting=H%69,&addressee=%28World%29`,
>>> > +                               `greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
>>> > +diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
>>> > +index e72a9ba..c709660 100644
>>> > +--- a/src/html/template/escape_test.go
>>> > ++++ b/src/html/template/escape_test.go
>>> > +@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
>>> > +               {
>>> > +                       "jsStr",
>>> > +                       "<button onclick='alert(&quot;{{.H}}&quot;)'>",
>>> > +-                      `<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
>>> > ++                      `<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
>>> > +               },
>>> > +               {
>>> > +                       "badMarshaler",
>>> > +@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
>>> > +               {
>>> > +                       "jsRe",
>>> > +                       `<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
>>> > +-                      `<button onclick='alert(/foo\x2bbar/.test(""))'>`,
>>> > ++                      `<button onclick='alert(/foo\u002bbar/.test(""))'>`,
>>> > +               },
>>> > +               {
>>> > +                       "jsReBlank",
>>> > +@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
>>> > +                               "main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
>>> > +                               "helper": `{{11}} of {{"<100>"}}`,
>>> > +                       },
>>> > +-                      `<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
>>> > ++                      `<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
>>> > +               },
>>> > +               // A non-recursive template that ends in a different context.
>>> > +               // helper starts in jsCtxRegexp and ends in jsCtxDivOp.
>>> > +diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
>>> > +index 9d965f1..6cf936f 100644
>>> > +--- a/src/html/template/example_test.go
>>> > ++++ b/src/html/template/example_test.go
>>> > +@@ -116,9 +116,9 @@ func Example_escape() {
>>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
>>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
>>> > +       // &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
>>> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
>>> > +-      // \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
>>> > +-      // \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
>>> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
>>> > ++      // \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
>>> > ++      // \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
>>> > +       // %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
>>> > +
>>> > + }
>>> >  diff --git a/src/html/template/js.go b/src/html/template/js.go
>>> >  index 0e91458..ea9c183 100644
>>> >  --- a/src/html/template/js.go
>>> > @@ -173,6 +401,217 @@ index 0e91458..ea9c183 100644
>>> >         '?':  `\?`,
>>> >         '[':  `\[`,
>>> >         '\\': `\\`,
>>> > +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
>>> > +index 075adaa..d7ee47b 100644
>>> > +--- a/src/html/template/js_test.go
>>> > ++++ b/src/html/template/js_test.go
>>> > +@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
>>> > +               {"foo", `"foo"`},
>>> > +               // Newlines.
>>> > +               {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
>>> > +-              // "\v" == "v" on IE 6 so use "\x0b" instead.
>>> > ++              // "\v" == "v" on IE 6 so use "\u000b" instead.
>>> > +               {"\t\x0b", `"\t\u000b"`},
>>> > +               {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
>>> > +               {[]interface{}{}, "[]"},
>>> > +@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
>>> > +       }{
>>> > +               {"", ``},
>>> > +               {"foo", `foo`},
>>> > +-              {"\u0000", `\0`},
>>> > ++              {"\u0000", `\u0000`},
>>> > +               {"\t", `\t`},
>>> > +               {"\n", `\n`},
>>> > +               {"\r", `\r`},
>>> > +@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
>>> > +               {"\\n", `\\n`},
>>> > +               {"foo\r\nbar", `foo\r\nbar`},
>>> > +               // Preserve attribute boundaries.
>>> > +-              {`"`, `\x22`},
>>> > +-              {`'`, `\x27`},
>>> > ++              {`"`, `\u0022`},
>>> > ++              {`'`, `\u0027`},
>>> > +               // Allow embedding in HTML without further escaping.
>>> > +-              {`&amp;`, `\x26amp;`},
>>> > ++              {`&amp;`, `\u0026amp;`},
>>> > +               // Prevent breaking out of text node and element boundaries.
>>> > +-              {"</script>", `\x3c\/script\x3e`},
>>> > +-              {"<![CDATA[", `\x3c![CDATA[`},
>>> > +-              {"]]>", `]]\x3e`},
>>> > ++              {"</script>", `\u003c\/script\u003e`},
>>> > ++              {"<![CDATA[", `\u003c![CDATA[`},
>>> > ++              {"]]>", `]]\u003e`},
>>> > +               // https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
>>> > +               //   "The text in style, script, title, and textarea elements
>>> > +               //   must not have an escaping text span start that is not
>>> > +@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
>>> > +               // allow regular text content to be interpreted as script
>>> > +               // allowing script execution via a combination of a JS string
>>> > +               // injection followed by an HTML text injection.
>>> > +-              {"<!--", `\x3c!--`},
>>> > +-              {"-->", `--\x3e`},
>>> > ++              {"<!--", `\u003c!--`},
>>> > ++              {"-->", `--\u003e`},
>>> > +               // From https://code.google.com/p/doctype/wiki/ArticleUtf7
>>> > +               {"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
>>> > +-                      `\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
>>> > ++                      `\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
>>> > +               },
>>> > +               // Invalid UTF-8 sequence
>>> > +               {"foo\xA0bar", "foo\xA0bar"},
>>> > +@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
>>> > +       }{
>>> > +               {"", `(?:)`},
>>> > +               {"foo", `foo`},
>>> > +-              {"\u0000", `\0`},
>>> > ++              {"\u0000", `\u0000`},
>>> > +               {"\t", `\t`},
>>> > +               {"\n", `\n`},
>>> > +               {"\r", `\r`},
>>> > +@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
>>> > +               {"\\n", `\\n`},
>>> > +               {"foo\r\nbar", `foo\r\nbar`},
>>> > +               // Preserve attribute boundaries.
>>> > +-              {`"`, `\x22`},
>>> > +-              {`'`, `\x27`},
>>> > ++              {`"`, `\u0022`},
>>> > ++              {`'`, `\u0027`},
>>> > +               // Allow embedding in HTML without further escaping.
>>> > +-              {`&amp;`, `\x26amp;`},
>>> > ++              {`&amp;`, `\u0026amp;`},
>>> > +               // Prevent breaking out of text node and element boundaries.
>>> > +-              {"</script>", `\x3c\/script\x3e`},
>>> > +-              {"<![CDATA[", `\x3c!\[CDATA\[`},
>>> > +-              {"]]>", `\]\]\x3e`},
>>> > ++              {"</script>", `\u003c\/script\u003e`},
>>> > ++              {"<![CDATA[", `\u003c!\[CDATA\[`},
>>> > ++              {"]]>", `\]\]\u003e`},
>>> > +               // Escaping text spans.
>>> > +-              {"<!--", `\x3c!\-\-`},
>>> > +-              {"-->", `\-\-\x3e`},
>>> > ++              {"<!--", `\u003c!\-\-`},
>>> > ++              {"-->", `\-\-\u003e`},
>>> > +               {"*", `\*`},
>>> > +-              {"+", `\x2b`},
>>> > ++              {"+", `\u002b`},
>>> > +               {"?", `\?`},
>>> > +               {"[](){}", `\[\]\(\)\{\}`},
>>> > +               {"$foo|x.y", `\$foo\|x\.y`},
>>> > +@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
>>> > +               {
>>> > +                       "jsStrEscaper",
>>> > +                       jsStrEscaper,
>>> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
>>> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
>>> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
>>> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
>>> > +-                              ` !\x22#$%\x26\x27()*\x2b,-.\/` +
>>> > +-                              `0123456789:;\x3c=\x3e?` +
>>> > ++                      `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
>>> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
>>> > ++                              `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
>>> > ++                              `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
>>> > ++                              ` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
>>> > ++                              `0123456789:;\u003c=\u003e?` +
>>> > +                               `@ABCDEFGHIJKLMNO` +
>>> > +                               `PQRSTUVWXYZ[\\]^_` +
>>> > +                               "`abcdefghijklmno" +
>>> > +-                              "pqrstuvwxyz{|}~\x7f" +
>>> > ++                              "pqrstuvwxyz{|}~\u007f" +
>>> > +                               "\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
>>> > +               },
>>> > +               {
>>> > +                       "jsRegexpEscaper",
>>> > +                       jsRegexpEscaper,
>>> > +-                      "\\0\x01\x02\x03\x04\x05\x06\x07" +
>>> > +-                              "\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
>>> > +-                              "\x10\x11\x12\x13\x14\x15\x16\x17" +
>>> > +-                              "\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
>>> > +-                              ` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
>>> > +-                              `0123456789:;\x3c=\x3e\?` +
>>> > ++                      `\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
>>> > ++                              `\u0008\t\n\u000b\f\r\u000e\u000f` +
>>> > ++                              `\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
>>> > ++                              `\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
>>> > ++                              ` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
>>> > ++                              `0123456789:;\u003c=\u003e\?` +
>>> > +                               `@ABCDEFGHIJKLMNO` +
>>> > +                               `PQRSTUVWXYZ\[\\\]\^_` +
>>> > +                               "`abcdefghijklmno" +
>>> > +diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
>>> > +index 13e6ba4..86bd4db 100644
>>> > +--- a/src/html/template/template_test.go
>>> > ++++ b/src/html/template/template_test.go
>>> > +@@ -6,6 +6,7 @@ package template_test
>>> > +
>>> > + import (
>>> > +       "bytes"
>>> > ++      "encoding/json"
>>> > +       . "html/template"
>>> > +       "strings"
>>> > +       "testing"
>>> > +@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
>>> > +       c.mustExecute(c.root, nil, "12.34 7.5")
>>> > + }
>>> > +
>>> > ++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
>>> > ++      // See #33671 and #37634 for more context on this.
>>> > ++      tests := []struct{ name, in string }{
>>> > ++              {"empty", ""},
>>> > ++              {"invalid", string(rune(-1))},
>>> > ++              {"null", "\u0000"},
>>> > ++              {"unit separator", "\u001F"},
>>> > ++              {"tab", "\t"},
>>> > ++              {"gt and lt", "<>"},
>>> > ++              {"quotes", `'"`},
>>> > ++              {"ASCII letters", "ASCII letters"},
>>> > ++              {"Unicode", "ʕ⊙ϖ⊙ʔ"},
>>> > ++              {"Pizza", "
Shubham Kulkarni Oct. 3, 2023, 5:23 p.m. UTC | #5
Hi Steve,

Thank you so much for sharing the patchwork link. I have figured out the
problem!
Issue is due to a Special Character used in the golang/go upstream
repository. Below are the details:

To fix the CVE-2023-24538 in Dunfell, a dependent patch
https://github.com/golang/go/commit/d4d298040d needs to be backported (I
have backported as CVE-2023-24538-2.patch). This patch includes a Special
character line {"Pizza", "
diff mbox series

Patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index be63f64825..091b778de8 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -60,7 +60,10 @@  SRC_URI += "\
     file://CVE-2023-24534.patch \
     file://CVE-2023-24538-1.patch \
     file://CVE-2023-24538-2.patch \
-    file://CVE-2023-24538-3.patch \
+    file://CVE-2023-24538_3.patch \
+    file://CVE-2023-24538_4.patch \
+    file://CVE-2023-24538_5.patch \
+    file://CVE-2023-24538_6.patch \
     file://CVE-2023-24539.patch \
     file://CVE-2023-24540.patch \
     file://CVE-2023-29405-1.patch \
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
index eda26e5ff6..23c5075e41 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
@@ -1,7 +1,7 @@ 
 From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001
 From: Brad Fitzpatrick <bradfitz@golang.org>
 Date: Mon, 2 Aug 2021 14:55:51 -0700
-Subject: [PATCH 1/3] net/netip: add new IP address package
+Subject: [PATCH 1/6] net/netip: add new IP address package
 
 Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati)
 Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
@@ -31,7 +31,7 @@  Trust: Brad Fitzpatrick <bradfitz@golang.org>
 
 Dependency Patch #1
 
-Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0]
+Upstream-Status: Backport from https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0
 CVE: CVE-2023-24538
 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
 ---
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
index 5036f2890b..3840617a32 100644
--- a/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
@@ -1,7 +1,7 @@ 
 From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001
 From: empijei <robclap8@gmail.com>
 Date: Fri, 27 Mar 2020 19:27:55 +0100
-Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes
+Subject: [PATCH 2/6] html/template,text/template: switch to Unicode escapes
  for JSON compatibility
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -31,10 +31,238 @@  Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072
 CVE: CVE-2023-24538
 Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
 ---
- src/html/template/js.go    | 70 +++++++++++++++++++++++++++-------------------
- src/text/template/funcs.go |  8 +++---
- 2 files changed, 46 insertions(+), 32 deletions(-)
+ src/html/template/content_test.go  | 70 +++++++++++++++++++-------------------
+ src/html/template/escape_test.go   |  6 ++--
+ src/html/template/example_test.go  |  6 ++--
+ src/html/template/js.go            | 70 +++++++++++++++++++++++---------------
+ src/html/template/js_test.go       | 68 ++++++++++++++++++------------------
+ src/html/template/template_test.go | 39 +++++++++++++++++++++
+ src/text/template/exec_test.go     |  6 ++--
+ src/text/template/funcs.go         |  8 ++---
+ 8 files changed, 163 insertions(+), 110 deletions(-)
 
+diff --git a/src/html/template/content_test.go b/src/html/template/content_test.go
+index 72d56f5..bd86527 100644
+--- a/src/html/template/content_test.go
++++ b/src/html/template/content_test.go
+@@ -18,7 +18,7 @@ func TestTypedContent(t *testing.T) {
+		HTML(`Hello, <b>World</b> &amp;tc!`),
+		HTMLAttr(` dir="ltr"`),
+		JS(`c && alert("Hello, World!");`),
+-		JSStr(`Hello, World & O'Reilly\x21`),
++		JSStr(`Hello, World & O'Reilly\u0021`),
+		URL(`greeting=H%69,&addressee=(World)`),
+		Srcset(`greeting=H%69,&addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`),
+		URL(`,foo/,`),
+@@ -70,7 +70,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -100,7 +100,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello,&#32;World&#32;&amp;tc!`,
+				`&#32;dir&#61;&#34;ltr&#34;`,
+				`c&#32;&amp;&amp;&#32;alert(&#34;Hello,&#32;World!&#34;);`,
+-				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\x21`,
++				`Hello,&#32;World&#32;&amp;&#32;O&#39;Reilly\u0021`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)`,
+				`greeting&#61;H%69,&amp;addressee&#61;(World)&#32;2x,&#32;https://golang.org/favicon.ico&#32;500.5w`,
+				`,foo/,`,
+@@ -115,7 +115,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, World &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -130,7 +130,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, &lt;b&gt;World&lt;/b&gt; &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -146,7 +146,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -162,7 +162,7 @@ func TestTypedContent(t *testing.T) {
+				// Not JS escaped but HTML escaped.
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+				// Escape sequence not over-escaped.
+-				`&#34;Hello, World &amp; O&#39;Reilly\x21&#34;`,
++				`&#34;Hello, World &amp; O&#39;Reilly\u0021&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World)&#34;`,
+				`&#34;greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w&#34;`,
+				`&#34;,foo/,&#34;`,
+@@ -171,30 +171,30 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<script>alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+		{
+			`<script type="text/javascript">alert("{{.}}")</script>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -208,7 +208,7 @@ func TestTypedContent(t *testing.T) {
+				// Not escaped.
+				`c && alert("Hello, World!");`,
+				// Escape sequence not over-escaped.
+-				`"Hello, World & O'Reilly\x21"`,
++				`"Hello, World & O'Reilly\u0021"`,
+				`"greeting=H%69,\u0026addressee=(World)"`,
+				`"greeting=H%69,\u0026addressee=(World) 2x, https://golang.org/favicon.ico 500.5w"`,
+				`",foo/,"`,
+@@ -224,7 +224,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello, <b>World</b> &amp;tc!`,
+				` dir=&#34;ltr&#34;`,
+				`c &amp;&amp; alert(&#34;Hello, World!&#34;);`,
+-				`Hello, World &amp; O&#39;Reilly\x21`,
++				`Hello, World &amp; O&#39;Reilly\u0021`,
+				`greeting=H%69,&amp;addressee=(World)`,
+				`greeting=H%69,&amp;addressee=(World) 2x, https://golang.org/favicon.ico 500.5w`,
+				`,foo/,`,
+@@ -233,15 +233,15 @@ func TestTypedContent(t *testing.T) {
+		{
+			`<button onclick='alert("{{.}}")'>`,
+			[]string{
+-				`\x3cb\x3e \x22foo%\x22 O\x27Reilly \x26bar;`,
+-				`a[href =~ \x22\/\/example.com\x22]#foo`,
+-				`Hello, \x3cb\x3eWorld\x3c\/b\x3e \x26amp;tc!`,
+-				` dir=\x22ltr\x22`,
+-				`c \x26\x26 alert(\x22Hello, World!\x22);`,
++				`\u003cb\u003e \u0022foo%\u0022 O\u0027Reilly \u0026bar;`,
++				`a[href =~ \u0022\/\/example.com\u0022]#foo`,
++				`Hello, \u003cb\u003eWorld\u003c\/b\u003e \u0026amp;tc!`,
++				` dir=\u0022ltr\u0022`,
++				`c \u0026\u0026 alert(\u0022Hello, World!\u0022);`,
+				// Escape sequence not over-escaped.
+-				`Hello, World \x26 O\x27Reilly\x21`,
+-				`greeting=H%69,\x26addressee=(World)`,
+-				`greeting=H%69,\x26addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
++				`Hello, World \u0026 O\u0027Reilly\u0021`,
++				`greeting=H%69,\u0026addressee=(World)`,
++				`greeting=H%69,\u0026addressee=(World) 2x, https:\/\/golang.org\/favicon.ico 500.5w`,
+				`,foo\/,`,
+			},
+		},
+@@ -253,7 +253,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is done.
+				`greeting=H%69,&amp;addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+@@ -268,7 +268,7 @@ func TestTypedContent(t *testing.T) {
+				`Hello%2c%20%3cb%3eWorld%3c%2fb%3e%20%26amp%3btc%21`,
+				`%20dir%3d%22ltr%22`,
+				`c%20%26%26%20alert%28%22Hello%2c%20World%21%22%29%3b`,
+-				`Hello%2c%20World%20%26%20O%27Reilly%5cx21`,
++				`Hello%2c%20World%20%26%20O%27Reilly%5cu0021`,
+				// Quotes and parens are escaped but %69 is not over-escaped. HTML escaping is not done.
+				`greeting=H%69,&addressee=%28World%29`,
+				`greeting%3dH%2569%2c%26addressee%3d%28World%29%202x%2c%20https%3a%2f%2fgolang.org%2ffavicon.ico%20500.5w`,
+diff --git a/src/html/template/escape_test.go b/src/html/template/escape_test.go
+index e72a9ba..c709660 100644
+--- a/src/html/template/escape_test.go
++++ b/src/html/template/escape_test.go
+@@ -238,7 +238,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsStr",
+			"<button onclick='alert(&quot;{{.H}}&quot;)'>",
+-			`<button onclick='alert(&quot;\x3cHello\x3e&quot;)'>`,
++			`<button onclick='alert(&quot;\u003cHello\u003e&quot;)'>`,
+		},
+		{
+			"badMarshaler",
+@@ -259,7 +259,7 @@ func TestEscape(t *testing.T) {
+		{
+			"jsRe",
+			`<button onclick='alert(/{{"foo+bar"}}/.test(""))'>`,
+-			`<button onclick='alert(/foo\x2bbar/.test(""))'>`,
++			`<button onclick='alert(/foo\u002bbar/.test(""))'>`,
+		},
+		{
+			"jsReBlank",
+@@ -825,7 +825,7 @@ func TestEscapeSet(t *testing.T) {
+				"main":   `<button onclick="title='{{template "helper"}}'; ...">{{template "helper"}}</button>`,
+				"helper": `{{11}} of {{"<100>"}}`,
+			},
+-			`<button onclick="title='11 of \x3c100\x3e'; ...">11 of &lt;100&gt;</button>`,
++			`<button onclick="title='11 of \u003c100\u003e'; ...">11 of &lt;100&gt;</button>`,
+		},
+		// A non-recursive template that ends in a different context.
+		// helper starts in jsCtxRegexp and ends in jsCtxDivOp.
+diff --git a/src/html/template/example_test.go b/src/html/template/example_test.go
+index 9d965f1..6cf936f 100644
+--- a/src/html/template/example_test.go
++++ b/src/html/template/example_test.go
+@@ -116,9 +116,9 @@ func Example_escape() {
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34; &lt;tasty@example.com&gt;
+	// &#34;Fran &amp; Freddie&#39;s Diner&#34;32&lt;tasty@example.com&gt;
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\" \x3Ctasty@example.com\x3E
+-	// \"Fran \x26 Freddie\'s Diner\"32\x3Ctasty@example.com\x3E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\" \u003Ctasty@example.com\u003E
++	// \"Fran \u0026 Freddie\'s Diner\"32\u003Ctasty@example.com\u003E
+	// %22Fran+%26+Freddie%27s+Diner%2232%3Ctasty%40example.com%3E
+
+ }
 diff --git a/src/html/template/js.go b/src/html/template/js.go
 index 0e91458..ea9c183 100644
 --- a/src/html/template/js.go
@@ -173,6 +401,217 @@  index 0e91458..ea9c183 100644
 	'?':  `\?`,
 	'[':  `\[`,
 	'\\': `\\`,
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index 075adaa..d7ee47b 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -137,7 +137,7 @@ func TestJSValEscaper(t *testing.T) {
+		{"foo", `"foo"`},
+		// Newlines.
+		{"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
+-		// "\v" == "v" on IE 6 so use "\x0b" instead.
++		// "\v" == "v" on IE 6 so use "\u000b" instead.
+		{"\t\x0b", `"\t\u000b"`},
+		{struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+		{[]interface{}{}, "[]"},
+@@ -173,7 +173,7 @@ func TestJSStrEscaper(t *testing.T) {
+	}{
+		{"", ``},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -183,14 +183,14 @@ func TestJSStrEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c![CDATA[`},
+-		{"]]>", `]]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c![CDATA[`},
++		{"]]>", `]]\u003e`},
+		// https://dev.w3.org/html5/markup/aria/syntax.html#escaping-text-span
+		//   "The text in style, script, title, and textarea elements
+		//   must not have an escaping text span start that is not
+@@ -201,11 +201,11 @@ func TestJSStrEscaper(t *testing.T) {
+		// allow regular text content to be interpreted as script
+		// allowing script execution via a combination of a JS string
+		// injection followed by an HTML text injection.
+-		{"<!--", `\x3c!--`},
+-		{"-->", `--\x3e`},
++		{"<!--", `\u003c!--`},
++		{"-->", `--\u003e`},
+		// From https://code.google.com/p/doctype/wiki/ArticleUtf7
+		{"+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+-			`\x2bADw-script\x2bAD4-alert(1)\x2bADw-\/script\x2bAD4-`,
++			`\u002bADw-script\u002bAD4-alert(1)\u002bADw-\/script\u002bAD4-`,
+		},
+		// Invalid UTF-8 sequence
+		{"foo\xA0bar", "foo\xA0bar"},
+@@ -228,7 +228,7 @@ func TestJSRegexpEscaper(t *testing.T) {
+	}{
+		{"", `(?:)`},
+		{"foo", `foo`},
+-		{"\u0000", `\0`},
++		{"\u0000", `\u0000`},
+		{"\t", `\t`},
+		{"\n", `\n`},
+		{"\r", `\r`},
+@@ -238,19 +238,19 @@ func TestJSRegexpEscaper(t *testing.T) {
+		{"\\n", `\\n`},
+		{"foo\r\nbar", `foo\r\nbar`},
+		// Preserve attribute boundaries.
+-		{`"`, `\x22`},
+-		{`'`, `\x27`},
++		{`"`, `\u0022`},
++		{`'`, `\u0027`},
+		// Allow embedding in HTML without further escaping.
+-		{`&amp;`, `\x26amp;`},
++		{`&amp;`, `\u0026amp;`},
+		// Prevent breaking out of text node and element boundaries.
+-		{"</script>", `\x3c\/script\x3e`},
+-		{"<![CDATA[", `\x3c!\[CDATA\[`},
+-		{"]]>", `\]\]\x3e`},
++		{"</script>", `\u003c\/script\u003e`},
++		{"<![CDATA[", `\u003c!\[CDATA\[`},
++		{"]]>", `\]\]\u003e`},
+		// Escaping text spans.
+-		{"<!--", `\x3c!\-\-`},
+-		{"-->", `\-\-\x3e`},
++		{"<!--", `\u003c!\-\-`},
++		{"-->", `\-\-\u003e`},
+		{"*", `\*`},
+-		{"+", `\x2b`},
++		{"+", `\u002b`},
+		{"?", `\?`},
+		{"[](){}", `\[\]\(\)\{\}`},
+		{"$foo|x.y", `\$foo\|x\.y`},
+@@ -284,27 +284,27 @@ func TestEscapersOnLower7AndSelectHighCodepoints(t *testing.T) {
+		{
+			"jsStrEscaper",
+			jsStrEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#$%\x26\x27()*\x2b,-.\/` +
+-				`0123456789:;\x3c=\x3e?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#$%\u0026\u0027()*\u002b,-.\/` +
++				`0123456789:;\u003c=\u003e?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ[\\]^_` +
+				"`abcdefghijklmno" +
+-				"pqrstuvwxyz{|}~\x7f" +
++				"pqrstuvwxyz{|}~\u007f" +
+				"\u00A0\u0100\\u2028\\u2029\ufeff\U0001D11E",
+		},
+		{
+			"jsRegexpEscaper",
+			jsRegexpEscaper,
+-			"\\0\x01\x02\x03\x04\x05\x06\x07" +
+-				"\x08\\t\\n\\x0b\\f\\r\x0E\x0F" +
+-				"\x10\x11\x12\x13\x14\x15\x16\x17" +
+-				"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f" +
+-				` !\x22#\$%\x26\x27\(\)\*\x2b,\-\.\/` +
+-				`0123456789:;\x3c=\x3e\?` +
++			`\u0000\u0001\u0002\u0003\u0004\u0005\u0006\u0007` +
++				`\u0008\t\n\u000b\f\r\u000e\u000f` +
++				`\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017` +
++				`\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f` +
++				` !\u0022#\$%\u0026\u0027\(\)\*\u002b,\-\.\/` +
++				`0123456789:;\u003c=\u003e\?` +
+				`@ABCDEFGHIJKLMNO` +
+				`PQRSTUVWXYZ\[\\\]\^_` +
+				"`abcdefghijklmno" +
+diff --git a/src/html/template/template_test.go b/src/html/template/template_test.go
+index 13e6ba4..86bd4db 100644
+--- a/src/html/template/template_test.go
++++ b/src/html/template/template_test.go
+@@ -6,6 +6,7 @@ package template_test
+
+ import (
+	"bytes"
++	"encoding/json"
+	. "html/template"
+	"strings"
+	"testing"
+@@ -121,6 +122,44 @@ func TestNumbers(t *testing.T) {
+	c.mustExecute(c.root, nil, "12.34 7.5")
+ }
+
++func TestStringsInScriptsWithJsonContentTypeAreCorrectlyEscaped(t *testing.T) {
++	// See #33671 and #37634 for more context on this.
++	tests := []struct{ name, in string }{
++		{"empty", ""},
++		{"invalid", string(rune(-1))},
++		{"null", "\u0000"},
++		{"unit separator", "\u001F"},
++		{"tab", "\t"},
++		{"gt and lt", "<>"},
++		{"quotes", `'"`},
++		{"ASCII letters", "ASCII letters"},
++		{"Unicode", "ʕ⊙ϖ⊙ʔ"},
++		{"Pizza", "