Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package forgejo for openSUSE:Factory checked in at 2025-10-09 15:07:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/forgejo (Old) and /work/SRC/openSUSE:Factory/.forgejo.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "forgejo" Thu Oct 9 15:07:08 2025 rev:36 rq:1309957 version:12.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/forgejo/forgejo.changes 2025-09-20 22:05:16.165663346 +0200 +++ /work/SRC/openSUSE:Factory/.forgejo.new.11973/forgejo.changes 2025-10-09 15:09:30.994251555 +0200 @@ -1,0 +2,6 @@ +Thu Oct 9 10:32:11 UTC 2025 - Richard Rahl <[email protected]> + +- add fix-CVE-2025-58190.patch, fixing bsc#1251670 +- add fix-CVE-2025-47911.patch, fixing bsc#1251474 + +------------------------------------------------------------------- New: ---- fix-CVE-2025-47911.patch fix-CVE-2025-58190.patch ----------(New B)---------- New:- add fix-CVE-2025-58190.patch, fixing bsc#1251670 - add fix-CVE-2025-47911.patch, fixing bsc#1251474 New: - add fix-CVE-2025-58190.patch, fixing bsc#1251670 - add fix-CVE-2025-47911.patch, fixing bsc#1251474 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ forgejo.spec ++++++ --- /var/tmp/diff_new_pack.cK0tCw/_old 2025-10-09 15:09:33.882373457 +0200 +++ /var/tmp/diff_new_pack.cK0tCw/_new 2025-10-09 15:09:33.886373627 +0200 @@ -1,6 +1,7 @@ # # spec file for package forgejo # +# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -49,6 +50,8 @@ Source14: node_modules.sums Source99: README.SUSE Patch0: custom-app.ini.patch +Patch1: fix-CVE-2025-58190.patch +Patch2: fix-CVE-2025-47911.patch BuildRequires: golang(API) >= 1.24 ## node >= 20 %if 0%{?suse_version} == 1500 ++++++ fix-CVE-2025-47911.patch ++++++ diff -rubN vendor/golang.org/x/net/html/escape.go vendor-patched/golang.org/x/net/html/escape.go --- a/vendor/golang.org/x/net/html/escape.go 2025-06-06 12:16:37.000000000 +0200 +++ b/vendor-patched/golang.org/x/net/html/escape.go 2025-10-09 10:38:44.325052734 +0200 @@ -299,7 +299,7 @@ case '\r': esc = " " default: - panic("unrecognized escape character") + panic("html: unrecognized escape character") } s = s[i+1:] if _, err := w.WriteString(esc); err != nil { diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go --- a/vendor/golang.org/x/net/html/parse.go 2025-10-09 10:39:56.705570069 +0200 +++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:38:59.062361676 +0200 @@ -231,7 +231,14 @@ } if n.Type == ElementNode { + p.insertOpenElement(n) + } +} + +func (p *parser) insertOpenElement(n *Node) { p.oe = append(p.oe, n) + if len(p.oe) > 512 { + panic("html: open stack of elements exceeds 512 nodes") } } @@ -810,7 +817,7 @@ p.im = inFramesetIM return true case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: - p.oe = append(p.oe, p.head) + p.insertOpenElement(p.head) defer p.oe.remove(p.head) return inHeadIM(p) case a.Head: @@ -2324,9 +2331,13 @@ } } -func (p *parser) parse() error { +func (p *parser) parse() (err error) { + defer func() { + if panicErr := recover(); panicErr != nil { + err = fmt.Errorf("%s", panicErr) + } + }() // Iterate until EOF. Any other error will cause an early return. - var err error for err != io.EOF { // CDATA sections are allowed only in foreign content. n := p.oe.top() @@ -2355,6 +2366,8 @@ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped, // with no corresponding node in the resulting tree. // +// Parse will reject HTML that is nested deeper than 512 elements. +// // The input is assumed to be UTF-8 encoded. func Parse(r io.Reader) (*Node, error) { return ParseWithOptions(r) ++++++ fix-CVE-2025-58190.patch ++++++ diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go --- a/vendor/golang.org/x/net/html/parse.go 2025-06-06 12:16:37.000000000 +0200 +++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:12:41.984298856 +0200 @@ -136,7 +136,7 @@ return -1 } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) } } switch s { @@ -179,7 +179,7 @@ return } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) } } } @@ -1678,7 +1678,7 @@ return inTableIM(p) } -// Section 12.2.6.4.14. +// Section 13.2.6.4.14. func inRowIM(p *parser) bool { switch p.tok.Type { case StartTagToken: @@ -1690,7 +1690,9 @@ p.im = inCellIM return true case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } @@ -1700,22 +1702,28 @@ case EndTagToken: switch p.tok.DataAtom { case a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return true } // Ignore the token. return true case a.Table: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } // Ignore the token. return true case a.Tbody, a.Tfoot, a.Thead: - if p.elementInScope(tableScope, p.tok.DataAtom) { - p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) + if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() + p.im = inTableBodyIM return false } // Ignore the token. @@ -2222,16 +2230,20 @@ p.acknowledgeSelfClosingTag() } case EndTagToken: - for i := len(p.oe) - 1; i >= 0; i-- { - if p.oe[i].Namespace == "" { - return p.im(p) + if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { + p.oe = p.oe[:len(p.oe)-1] + return true } + for i := len(p.oe) - 1; i >= 0; i-- { if strings.EqualFold(p.oe[i].Data, p.tok.Data) { p.oe = p.oe[:i] + return true + } + if i > 0 && p.oe[i-1].Namespace == "" { break } } - return true + return p.im(p) default: // Ignore the token. }
