Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package subfinder for openSUSE:Factory checked in at 2025-04-26 22:25:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/subfinder (Old) and /work/SRC/openSUSE:Factory/.subfinder.new.30101 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "subfinder" Sat Apr 26 22:25:26 2025 rev:6 rq:1272803 version:2.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/subfinder/subfinder.changes 2025-04-20 20:10:19.047031161 +0200 +++ /work/SRC/openSUSE:Factory/.subfinder.new.30101/subfinder.changes 2025-04-26 22:25:35.986972647 +0200 @@ -1,0 +2,5 @@ +Fri Apr 25 10:31:03 UTC 2025 - Dominik Heidler <dheid...@suse.de> + +- Add fix_cve_2025_22872.patch to patch CVE-2025-22872 / bsc#1241750 + +------------------------------------------------------------------- New: ---- fix_cve_2025_22872.patch BETA DEBUG BEGIN: New: - Add fix_cve_2025_22872.patch to patch CVE-2025-22872 / bsc#1241750 BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ subfinder.spec ++++++ --- /var/tmp/diff_new_pack.N9L0R4/_old 2025-04-26 22:25:36.634999529 +0200 +++ /var/tmp/diff_new_pack.N9L0R4/_new 2025-04-26 22:25:36.638999695 +0200 @@ -25,6 +25,7 @@ Source0: https://github.com/projectdiscovery/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.zstd Source2: fix_cve_2024_0406.patch +Source3: fix_cve_2025_22872.patch Patch1: disable-version-check.patch BuildRequires: binutils BuildRequires: help2man @@ -42,6 +43,7 @@ %prep %autosetup -p1 -a1 patch -d vendor/github.com/mholt/archiver/v3 < %{S:2} +patch -d vendor/golang.org/x/net/ -p1 < %{S:3} %build cd v2 ++++++ fix_cve_2025_22872.patch ++++++ >From e1fcd82abba34df74614020343be8eb1fe85f0d9 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker <rol...@golang.org> Date: Mon, 24 Feb 2025 11:18:31 -0800 Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute value in foreign content The parser properly treats tags like <p a=/> as <p a="/">, but the tokenizer emits the SelfClosingTagToken token incorrectly. When the parser is used to parse foreign content, this results in an incorrect DOM. Thanks to Sean Ng (https://ensy.zip) for reporting this issue. Fixes golang/go#73070 Fixes CVE-2025-22872 Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 Reviewed-by: Neal Patel <nealpa...@google.com> Reviewed-by: Roland Shoemaker <rol...@golang.org> LUCI-TryBot-Result: Go LUCI <golang-sco...@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <go...@golang.org> --- html/token.go | 18 ++++++++++++++++-- html/token_test.go | 18 ++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/html/token.go b/html/token.go index 3c57880d69..6598c1f7b3 100644 --- a/html/token.go +++ b/html/token.go @@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { if raw { z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) } - // Look for a self-closing token like "<br/>". - if z.err == nil && z.buf[z.raw.end-2] == '/' { + // Look for a self-closing token (e.g. <br/>). + // + // Originally, we did this by just checking that the last character of the + // tag (ignoring the closing bracket) was a solidus (/) character, but this + // is not always accurate. + // + // We need to be careful that we don't misinterpret a non-self-closing tag + // as self-closing, as can happen if the tag contains unquoted attribute + // values (i.e. <p a=/>). + // + // To avoid this, we check that the last non-bracket character of the tag + // (z.raw.end-2) isn't the same character as the last non-quote character of + // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has + // attributes. + nAttrs := len(z.attr) + if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { return SelfClosingTagToken } return StartTagToken ++++++ vendor.tar.zstd ++++++ Binary files /var/tmp/diff_new_pack.N9L0R4/_old and /var/tmp/diff_new_pack.N9L0R4/_new differ
