Bug 1215085 (CVE-2023-39319)

Summary: VUL-0: CVE-2023-39319: go1.20,go1.21: html/template: improper handling of special tags within script contexts
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andreas.taschner, brahmajit.das, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377580/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39319:6.8:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-09-06 23:24:40 UTC 
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.

This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.
Comment 1 OBSbugzilla Bot 2023-09-07 22:05:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1215085) was mentioned in
https://build.opensuse.org/request/show/1109621 Factory / go1.20
Comment 3 Brahmajit Das 2023-09-12 05:09:17 UTC 
Is go1.19 vulnerable to CVE-2023-393(18-19)? I've a L3 ticket for it where the customer is asking for PTF with fix these two cve's for g1.19
Comment 4 Brahmajit Das 2023-09-12 05:14:26 UTC 
Please ignore comment #3. I see them flagged unsupported.
Comment 5 Maintenance Automation 2023-09-20 12:30:44 UTC 
SUSE-SU-2023:3701-1: An update that solves five vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1215084, 1215085, 1215086, 1215087, 1215090
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322
Sources used:
Development Tools Module 15-SP5 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.4 (src): go1.21-1.21.1-150000.1.6.1
openSUSE Leap 15.5 (src): go1.21-1.21.1-150000.1.6.1
Development Tools Module 15-SP4 (src): go1.21-1.21.1-150000.1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-09-20 12:30:47 UTC 
SUSE-SU-2023:3700-1: An update that solves two vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1206346, 1215084, 1215085, 1215090
CVE References: CVE-2023-39318, CVE-2023-39319
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.8-150000.1.23.1
openSUSE Leap 15.5 (src): go1.20-1.20.8-150000.1.23.1
Development Tools Module 15-SP4 (src): go1.20-1.20.8-150000.1.23.1
Development Tools Module 15-SP5 (src): go1.20-1.20.8-150000.1.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-09-27 20:30:16 UTC 
SUSE-SU-2023:3840-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1206346, 1213880, 1215084, 1215085, 1215090
CVE References: CVE-2023-29409, CVE-2023-39318, CVE-2023-39319
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.8.1-150000.1.11.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.8.1-150000.1.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 OBSbugzilla Bot 2023-10-31 15:35:20 UTC 
This is an autogenerated message for OBS integration:
This bug (1215085) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 12 Marcus Meissner 2023-11-09 14:05:15 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 14 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Andrea Mattiazzo 2024-07-10 13:28:03 UTC 
All done, closing.