Bug 2196029 (CVE-2023-29400)

Summary: CVE-2023-29400 golang: html/template: improper handling of empty HTML attributes
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, adudiak, amasferr, amctagga, ansmith, aoconnor, asm, ataylor, bbaude, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, cwelton, dbenoit, debarshir, desktop-qa-list, dfreiber, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, flucifre, gmeno, gparvin, grafana-maint, ibolton, jburrell, jcammara, jcantril, jchui, jhardy, jjoyce, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jsherril, jwendell, kshier, lball, lhh, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mgarciac, mhackett, mheon, mhulan, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmontero, nmoumoul, orabin, oramraz, osbuilders, owatkins, pahickey, pcreech, pehunt, pjindal, pthomas, rcernich, rchan, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, saroy, sgott, shbose, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, teagle, tfister, tjochec, tkral, tstellar, tsweeney, twalsh, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.19.9, golang 1.20.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. Templates containing actions in unquoted HTML attributes, for example, "attr={{.}}") executed with empty input, could result in output that has unexpected results when parsed due to HTML normalization rules. This issue may allow the injection of arbitrary attributes into tags.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2196474, 2196475, 2196481, 2196482, 2196483, 2196484, 2196485, 2196486, 2196487, 2196488, 2196489, 2196490, 2196491, 2196492, 2203249, 2203250, 2203251, 2207502, 2207503, 2207504, 2207505, 2207506, 2207507, 2207508, 2207509, 2207510, 2207511, 2207512, 2207513, 2207514, 2207515, 2207518, 2207519, 2207520, 2207521, 2207522, 2207523, 2221850    
Bug Blocks: 2193514    

Description Anten Skrabec 2023-05-07 16:43:14 UTC 
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Comment 2 Anten Skrabec 2023-05-09 10:00:22 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2196474]
Affects: fedora-all [bug 2196475]
Comment 8 TEJ RATHI 2023-05-11 13:06:27 UTC 
References:
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
Go issue https://go.dev/issue/59722

Commits:
https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc [Master]
https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 [release-branch.go1.19]
https://github.com/golang/go/commit/337dd75343145b74ed2073d793322eb4103b56ad [release-branch.go1.20]
Comment 19 errata-xmlrpc 2023-05-25 12:26:16 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3323 https://access.redhat.com/errata/RHSA-2023:3323
Comment 20 errata-xmlrpc 2023-05-31 19:38:14 UTC 
This issue has been addressed in the following products:

  RHACS-4.0-RHEL-8

Via RHSA-2023:3415 https://access.redhat.com/errata/RHSA-2023:3415
Comment 22 errata-xmlrpc 2023-06-05 09:28:54 UTC 
This issue has been addressed in the following products:

  RHACS-3.74-RHEL-8

Via RHSA-2023:3435 https://access.redhat.com/errata/RHSA-2023:3435
Comment 23 errata-xmlrpc 2023-06-05 14:08:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 24 errata-xmlrpc 2023-06-07 01:50:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 25 errata-xmlrpc 2023-06-13 15:32:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 28 errata-xmlrpc 2023-06-28 15:42:56 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.3.0-RHEL-9

Via RHSA-2023:3905 https://access.redhat.com/errata/RHSA-2023:3905
Comment 29 errata-xmlrpc 2023-06-29 00:59:21 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 31 errata-xmlrpc 2023-07-10 08:51:36 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 34 errata-xmlrpc 2023-07-20 17:29:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 35 errata-xmlrpc 2023-07-27 01:14:00 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:4293 https://access.redhat.com/errata/RHSA-2023:4293
Comment 38 errata-xmlrpc 2023-08-03 14:12:31 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 39 errata-xmlrpc 2023-08-03 15:51:29 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:4472 https://access.redhat.com/errata/RHSA-2023:4472
Comment 40 errata-xmlrpc 2023-08-08 00:36:35 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 41 errata-xmlrpc 2023-08-08 11:30:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4459 https://access.redhat.com/errata/RHSA-2023:4459
Comment 42 errata-xmlrpc 2023-08-14 01:02:56 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 43 errata-xmlrpc 2023-08-16 14:09:44 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Comment 44 errata-xmlrpc 2023-08-23 00:18:00 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657
Comment 45 errata-xmlrpc 2023-10-03 18:50:07 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421
Comment 46 errata-xmlrpc 2023-10-04 13:07:49 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442
Comment 47 errata-xmlrpc 2023-10-26 00:47:49 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 48 errata-xmlrpc 2023-11-07 08:13:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 49 errata-xmlrpc 2023-11-07 08:14:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 50 errata-xmlrpc 2023-11-07 08:16:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 51 errata-xmlrpc 2023-11-07 08:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 52 errata-xmlrpc 2023-11-07 08:17:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 53 errata-xmlrpc 2023-11-08 18:49:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832
Comment 54 errata-xmlrpc 2023-11-14 15:16:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 55 errata-xmlrpc 2023-11-14 15:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 62 errata-xmlrpc 2024-05-21 14:08:30 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944