Your message dated Thu, 27 Jun 2019 11:58:06 +0200
with message-id <[email protected]>
and subject line Re: Bug#928227: unblock:
golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
has caused the Debian Bug report #928227,
regarding unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928227
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package golang-golang-x-net-dev
Upstream has provided patches addressing security issues
CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848
(Debian bug #911795).
This upload applies those patches.
$ debdiff golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-2.dsc
golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc
diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog
2018-12-14 21:56:28.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog
2019-04-30 16:42:08.000000000 +0800
@@ -1,3 +1,13 @@
+golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-3) unstable;
urgency=medium
+
+ * Team upload.
+ * Apply security patches (upstream commits). Closes: #911795.
+ - CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
+ - CVE-2018-17847, CVE-2018-17848:
+ commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
+
+ -- Drew Parsons <[email protected]> Tue, 30 Apr 2019 16:42:08 +0800
+
golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-2) unstable;
urgency=medium
* Remove obsolete patch for s390. Closes: #916236.
diff -Nru
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch
---
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch
1970-01-01 08:00:00.000000000 +0800
+++
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch
2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,108 @@
+From d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf Mon Sep 17 00:00:00 2001
+From: Kunpei Sakai <[email protected]>
+Date: Tue, 25 Sep 2018 22:55:50 +0900
+Subject: [PATCH] html: update inSelectIM and inSelectInTableIM for the latest
+ spec
+
+Fixes golang/go#27842
+
+Change-Id: I06eb3c0c18be3566bd30a29fca5f3f7e6791d2cc
+Reviewed-on: https://go-review.googlesource.com/c/137275
+Run-TryBot: Kunpei Sakai <[email protected]>
+TryBot-Result: Gobot Gobot <[email protected]>
+Reviewed-by: Nigel Tao <[email protected]>
+---
+ html/parse.go | 28 ++++++++++++++++++++++------
+ html/parse_test.go | 3 ++-
+ html/testdata/go/select.dat | 12 ++++++++++++
+ 3 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 html/testdata/go/select.dat
+
+diff --git a/html/parse.go b/html/parse.go
+index 64a57937..488e8d3c 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -1719,8 +1719,12 @@ func inSelectIM(p *parser) bool {
+ }
+ p.addElement()
+ case a.Select:
+- p.tok.Type = EndTagToken
+- return false
++ if p.popUntil(selectScope, a.Select) {
++ p.resetInsertionMode()
++ } else {
++ // Ignore the token.
++ return true
++ }
+ case a.Input, a.Keygen, a.Textarea:
+ if p.elementInScope(selectScope, a.Select) {
+ p.parseImpliedToken(EndTagToken, a.Select,
a.Select.String())
+@@ -1750,6 +1754,9 @@ func inSelectIM(p *parser) bool {
+ case a.Select:
+ if p.popUntil(selectScope, a.Select) {
+ p.resetInsertionMode()
++ } else {
++ // Ignore the token.
++ return true
+ }
+ case a.Template:
+ return inHeadIM(p)
+@@ -1775,13 +1782,22 @@ func inSelectInTableIM(p *parser) bool {
+ case StartTagToken, EndTagToken:
+ switch p.tok.DataAtom {
+ case a.Caption, a.Table, a.Tbody, a.Tfoot, a.Thead, a.Tr, a.Td,
a.Th:
+- if p.tok.Type == StartTagToken ||
p.elementInScope(tableScope, p.tok.DataAtom) {
+- p.parseImpliedToken(EndTagToken, a.Select,
a.Select.String())
+- return false
+- } else {
++ if p.tok.Type == EndTagToken &&
!p.elementInScope(tableScope, p.tok.DataAtom) {
+ // Ignore the token.
+ return true
+ }
++ // This is like p.popUntil(selectScope, a.Select), but
it also
++ // matches <math select>, not just <select>. Matching
the MathML
++ // tag is arguably incorrect (conceptually), but it
mimics what
++ // Chromium does.
++ for i := len(p.oe) - 1; i >= 0; i-- {
++ if n := p.oe[i]; n.DataAtom == a.Select {
++ p.oe = p.oe[:i]
++ break
++ }
++ }
++ p.resetInsertionMode()
++ return false
+ }
+ }
+ return inSelectIM(p)
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 1c232c71..9bba918c 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -367,7 +367,8 @@ var renderTestBlacklist = map[string]bool{
+ `<script><!--<script </s`: true,
+ // Reconstructing the active formatting elements results in a
<plaintext>
+ // element that contains an <a> element.
+- `<!doctype html><p><a><plaintext>b`: true,
++ `<!doctype html><p><a><plaintext>b`: true,
++ `<table><math><select><mi><select></table>`: true,
+ }
+
+ func TestNodeConsistency(t *testing.T) {
+diff --git a/html/testdata/go/select.dat b/html/testdata/go/select.dat
+new file mode 100644
+index 00000000..684554c8
+--- /dev/null
++++ b/html/testdata/go/select.dat
+@@ -0,0 +1,12 @@
++#data
++<table><math><select><mi><select></table>
++#errors
++#document
++| <html>
++| <head>
++| <body>
++| <math math>
++| <math select>
++| <math mi>
++| <select>
++| <table>
diff -Nru
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch
---
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch
1970-01-01 08:00:00.000000000 +0800
+++
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch
2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,67 @@
+From 4b62a64f59f73840b9ab79204c94fee61cd1ba2c Mon Sep 17 00:00:00 2001
+From: Kunpei Sakai <[email protected]>
+Date: Fri, 25 Jan 2019 02:28:59 +0900
+Subject: [PATCH] html: make (*nodeStack)contains distinguish namespace
+
+By proceeding without distinguishing namespace, inconsistency will
+occur.
+This commit makes the method distinguish the HTML namespace.
+
+Fixes golang/go#27846
+
+Change-Id: I8269f670240c0fe31162a16fbe1ac23acacec00f
+Reviewed-on: https://go-review.googlesource.com/c/159397
+Run-TryBot: Kunpei Sakai <[email protected]>
+TryBot-Result: Gobot Gobot <[email protected]>
+Reviewed-by: Nigel Tao <[email protected]>
+---
+ html/node.go | 2 +-
+ html/testdata/go/template.dat | 25 +++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/html/node.go b/html/node.go
+index 2c1cade6..633ee15d 100644
+--- a/html/node.go
++++ b/html/node.go
+@@ -177,7 +177,7 @@ func (s *nodeStack) index(n *Node) int {
+ // contains returns whether a is within s.
+ func (s *nodeStack) contains(a atom.Atom) bool {
+ for _, n := range *s {
+- if n.DataAtom == a {
++ if n.DataAtom == a && n.Namespace == "" {
+ return true
+ }
+ }
+diff --git a/html/testdata/go/template.dat b/html/testdata/go/template.dat
+index 98481b9e..ceaf0229 100644
+--- a/html/testdata/go/template.dat
++++ b/html/testdata/go/template.dat
+@@ -35,3 +35,28 @@
+ | <math mo>
+ | <template>
+ | content
++
++#data
++<svg><template><desc><t><svg></template>
++#errors
++#document
++| <html>
++| <head>
++| <body>
++| <svg svg>
++| <svg template>
++| <svg desc>
++| <t>
++| <svg svg>
++
++#data
++<math><template><mn><b></template>
++#errors
++#document
++| <html>
++| <head>
++| <body>
++| <math math>
++| <math template>
++| <math mn>
++| <b>
diff -Nru
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series
golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series
1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series
2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,2 @@
+CVE-2018-17846_d26f9f9.patch
+CVE-2018-17847_CVE-2018-17848_4b62a64.patch
unblock golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Hi
On 18-06-2019 19:01, Paul Gevers wrote:
> The
> golang-golang-x-net-dev update isn't available in coyim, rkt and
> singularity-container yet. Hence, this bug isn't closed yet.
coyim, rkt and singularity-container are (being) removed from buster. So
this bug can be closed.
Paul
signature.asc
Description: OpenPGP digital signature
--- End Message ---
