Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:libhtml-gumbo-perl
User: [email protected]
Usertags: pu

[ Reason ]
libhtml-gumbo-perl has a security issue in the version in bookworm. We
don't feel that warrants a DSA, but would like to see it updated in
bookworm before the final point release.

Bug report for the security issue:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104789

CVE-2025-15646

[ Impact ]
Users of this package will be exposed to this security issue.

[ Tests ]
The package has built in test cases, these all pass.

The patch has been accepted upstream.

[ Risks ]
There is minimal risk.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The change adds handling for the template HTML element.

[ Other info ]
I've been discussing this with Salvatore Bonaccorso.
diff -Nru libhtml-gumbo-perl-0.18/debian/changelog 
libhtml-gumbo-perl-0.18/debian/changelog
--- libhtml-gumbo-perl-0.18/debian/changelog    2022-08-01 03:45:00.000000000 
+1200
+++ libhtml-gumbo-perl-0.18/debian/changelog    2026-06-28 15:19:13.000000000 
+1200
@@ -1,3 +1,12 @@
+libhtml-gumbo-perl (0.18-3+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * [CVE-2025-15646] Add patch to fix wrong code path with GUMBO_NODE_TEMPLATE.
+    Thanks to Vincent Lefevre for the bug report and Niko Tyni for the patch.
+    (Closes: #1104789)
+
+ -- Andrew Ruthven <[email protected]>  Sun, 28 Jun 2026 15:19:13 +1200
+
 libhtml-gumbo-perl (0.18-3) unstable; urgency=medium
 
   [ gregor herrmann ]
diff -Nru 
libhtml-gumbo-perl-0.18/debian/patches/0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch
 
libhtml-gumbo-perl-0.18/debian/patches/0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch
--- 
libhtml-gumbo-perl-0.18/debian/patches/0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch
      1970-01-01 12:00:00.000000000 +1200
+++ 
libhtml-gumbo-perl-0.18/debian/patches/0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch
      2026-06-28 15:19:05.000000000 +1200
@@ -0,0 +1,47 @@
+From 549609cd80784012c274c11731e6a31787d3555e Mon Sep 17 00:00:00 2001
+From: Niko Tyni <[email protected]>
+Date: Sat, 17 May 2025 09:32:06 +0100
+Subject: [PATCH] Fix wrong code path with GUMBO_NODE_TEMPLATE
+
+GUMBO_NODE_TEMPLATE was introduced in Gumbo 0.10.0 but HTML-Gumbo has
+not been updated to support that.
+
+This makes walk_tree() take the text node branch for templates
+and access uninitialized memory.
+
+The gumbo C library seems to treat GUMBO_NODE_TEMPLATE very
+similarly to GUMBO_NODE_ELEMENT. From
+
+  https://sources.debian.org/src/gumbo-parser/0.13.0%2Bdfsg-2/src/gumbo.h/#L304
+
+  /** Template node.  This is separate from GUMBO_NODE_ELEMENT because many
+   * client libraries will want to ignore the contents of template nodes, as
+   * the spec suggests.  Recursing on GUMBO_NODE_ELEMENT will do the right 
thing
+   * here, while clients that want to include template contents should also
+   * check for GUMBO_NODE_TEMPLATE.  v will be a GumboElement.  */
+
+So we add it to the list "special" container types in walk_tree()
+that attach a GumboElement value rather than a GumboText.
+
+Bug-Debian: https://bugs.debian.org/1104789
+Bug: https://github.com/ruz/HTML-Gumbo/issues/6
+---
+ lib/HTML/Gumbo.xs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/HTML/Gumbo.xs b/lib/HTML/Gumbo.xs
+index 97dfc43..32427d7 100644
+--- a/lib/HTML/Gumbo.xs
++++ b/lib/HTML/Gumbo.xs
+@@ -38,7 +38,7 @@ typedef enum {
+ STATIC
+ void
+ walk_tree(pTHX_ GumboNode* node, int flags, void (*cb)(pTHX_ 
PerlHtmlGumboType, GumboNode*, void*), void* ctx ) {
+-    if ( node->type == GUMBO_NODE_DOCUMENT || node->type == 
GUMBO_NODE_ELEMENT ) {
++    if ( node->type == GUMBO_NODE_DOCUMENT || node->type == 
GUMBO_NODE_ELEMENT || node->type == GUMBO_NODE_TEMPLATE) {
+         GumboVector* children;
+         int skip = flags&PHG_FLAG_SKIP_ROOT_ELEMENT && node->type == 
GUMBO_NODE_ELEMENT && node->parent && node->parent->type == GUMBO_NODE_DOCUMENT;
+         if ( !skip ) {
+-- 
+2.49.0
+
diff -Nru libhtml-gumbo-perl-0.18/debian/patches/series 
libhtml-gumbo-perl-0.18/debian/patches/series
--- libhtml-gumbo-perl-0.18/debian/patches/series       2022-08-01 
03:45:00.000000000 +1200
+++ libhtml-gumbo-perl-0.18/debian/patches/series       2026-06-28 
15:19:05.000000000 +1200
@@ -1,2 +1,3 @@
 no-alien-libgumbo.patch
 tree_to_callback-don-t-check-document-nodes-for-void.patch
+0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch

Reply via email to