Your message dated Sun, 30 May 2021 13:35:57 +0000
with message-id <[email protected]>
and subject line unblock golang-golang-x-net
has caused the Debian Bug report #988983,
regarding unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
988983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988983
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Please unblock package golang-golang-x-net
[ Reason ]
Backport patch for CVE-2021-33194
x/net/html: infinite loop in ParseFragment
[ Impact ]
It fixes security issues.
[ Tests ]
Upstream has added a unit test for the issue in the patch.
[ Risks ]
+ Diff is small
+ Key package
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Need rebuild packages which have built-using with old version of
golang-golang-x-net
unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
2021-05-22 22:01:02.000000000 +0800
@@ -1,3 +1,11 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-4) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2021-33194
+ x/net/html: infinite loop in ParseFragment
+
+ -- Shengjing Zhu <[email protected]> Sat, 22 May 2021 22:01:02 +0800
+
golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
* Team upload.
diff -Nru
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
---
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
1970-01-01 08:00:00.000000000 +0800
+++
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
2021-05-22 22:01:02.000000000 +0800
@@ -0,0 +1,114 @@
+From: Nigel Tao <[email protected]>
+Date: Sun, 18 Apr 2021 21:15:27 +1000
+Subject: html: ignore templates nested within foreign content
+
+Fixes #46288
+Fixes CVE-2021-33194
+
+Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
+Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
+Reviewed-by: Filippo Valsorda <[email protected]>
+Run-TryBot: Filippo Valsorda <[email protected]>
+Trust: Roland Shoemaker <[email protected]>
+TryBot-Result: Go Bot <[email protected]>
+---
+ html/parse.go | 24 +++++++++++++++++++++++-
+ html/parse_test.go | 22 ++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/html/parse.go b/html/parse.go
+index f91466f..038941d 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
+ // Ignore the token.
+ return true
+ case a.Template:
++ // TODO: remove this divergence from the HTML5 spec.
++ //
++ // We don't handle all of the corner cases when mixing
foreign
++ // content (i.e. <math> or <svg>) with <template>.
Without this
++ // early return, we can get into an infinite loop,
possibly because
++ // of the "TODO... further divergence" a little below.
++ //
++ // As a workaround, if we are mixing foreign content
and templates,
++ // just ignore the rest of the HTML. Foreign content is
rare and a
++ // relatively old HTML feature. Templates are also rare
and a
++ // relatively new HTML feature. Their combination is
very rare.
++ for _, e := range p.oe {
++ if e.Namespace != "" {
++ p.im = ignoreTheRemainingTokens
++ return true
++ }
++ }
++
+ p.addElement()
+ p.afe = append(p.afe, &scopeMarker)
+ p.framesetOK = false
+@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
+ if !p.oe.contains(a.Template) {
+ return true
+ }
+- // TODO: remove this divergence from the HTML5 spec.
++ // TODO: remove this further divergence from the HTML5
spec.
+ //
+ // See
https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+ p.generateImpliedEndTags()
+@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
+ return true
+ }
+
++func ignoreTheRemainingTokens(p *parser) bool {
++ return true
++}
++
+ const whitespaceOrNUL = whitespace + "\x00"
+
+ // Section 12.2.6.5
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 58dce5f..019333d 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
+ if err != nil {
+ t.Fatal(err)
+ }
++ if parseTestBlacklist[ta.text] {
++ continue
++ }
+
+ err = testParseCase(ta.text, ta.want,
ta.context, ParseOptionEnableScripting(ta.scripting))
+
+@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts
...ParseOption) (err error)
+ return nil
+ }
+
++// Some test inputs are simply skipped - we would otherwise fail the test. We
++// blacklist such inputs from the parse test.
++var parseTestBlacklist = map[string]bool{
++ // See the a.Template TODO in inHeadIM.
++ `<math><template><mo><template>`:
true,
++ `<template><svg><foo><template><foreignObject><div></template><div>`:
true,
++}
++
+ // Some test input result in parse trees are not 'well-formed' despite
+ // following the HTML5 recovery algorithms. Rendering and re-parsing such a
+ // tree will not result in an exact clone of that tree. We blacklist such
+@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
+ ParseFragment(strings.NewReader("<p>hello</p>"), nil)
+ }
+
++func TestParseFragmentForeignContentTemplates(t *testing.T) {
++ srcs := []string{
++ "<math><html><template><mn><template></template></template>",
++ "<math><math><head><mi><template>",
++ }
++ for _, src := range srcs {
++ // The next line shouldn't infinite-loop.
++ ParseFragment(strings.NewReader(src), nil)
++ }
++}
++
+ func BenchmarkParser(b *testing.B) {
+ buf, err := ioutil.ReadFile("testdata/go1.html")
+ if err != nil {
diff -Nru
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
2021-05-22 22:01:02.000000000 +0800
@@ -1,2 +1,3 @@
publicsuffix.patch
CVE-2021-31525.patch
+CVE-2021-33194.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
