Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected] Control: affects -1 + src:golang-golang-x-net User: [email protected] Usertags: unblock
Please unblock package golang-golang-x-net [ Reason ] The patch fixes a FTBFS due to a failing test (#1089192) and adds to fixes for CVEs. [ Impact ] downstream build dependencies are affected by the CVEs and users can't easily modify and build the package. [ Tests ] Recompiled a couple times with sbulid and ran autopkgtests to make sure it work now. [ Risks ] Low, The skipped test has no impact compared to the version in testing and the patches for the two CVEs are from upstream and applied without problems. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] As this is a source only -dev package we probably need to recompile all downstream build dependencies to make user the CVEs fixes are applied. unblock golang-golang-x-net/1:0.27.0-2
diff --git a/debian/changelog b/debian/changelog index c713a01..20fadd0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +golang-golang-x-net (1:0.27.0-2) unstable; urgency=medium + + * Team upload. + + [ Ananthu C V ] + * Skip more publicsuffix tests (Closes: #1089192) + + [ Jochen Sprickerhof ] + * Add patch for CVE-2025-22872 (Closes: #1103586) + * Add patch for CVE-2024-45338 (Closes: #1091168) + + -- Jochen Sprickerhof <[email protected]> Wed, 21 May 2025 14:16:51 +0200 + golang-golang-x-net (1:0.27.0-1) unstable; urgency=medium * New upstream version 0.27.0 diff --git a/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch new file mode 100644 index 0000000..4eb0cec --- /dev/null +++ b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch @@ -0,0 +1,91 @@ +From: Roland Shoemaker <[email protected]> +Date: Mon, 24 Feb 2025 11:18:31 -0800 +Subject: html: properly handle trailing solidus in unquoted attribute value + in foreign content + +The parser properly treats tags like <p a=/> as <p a="/">, but the +tokenizer emits the SelfClosingTagToken token incorrectly. When the +parser is used to parse foreign content, this results in an incorrect +DOM. + +Thanks to Sean Ng (https://ensy.zip) for reporting this issue. + +Fixes golang/go#73070 +Fixes CVE-2025-22872 + +Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f +Reviewed-on: https://go-review.googlesource.com/c/net/+/661256 +Reviewed-by: Neal Patel <[email protected]> +Reviewed-by: Roland Shoemaker <[email protected]> +LUCI-TryBot-Result: Go LUCI <[email protected]> +Auto-Submit: Gopher Robot <[email protected]> +--- + html/token.go | 18 ++++++++++++++++-- + html/token_test.go | 18 ++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/html/token.go b/html/token.go +index 3c57880..6598c1f 100644 +--- a/html/token.go ++++ b/html/token.go +@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType { + if raw { + z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end])) + } +- // Look for a self-closing token like "<br/>". +- if z.err == nil && z.buf[z.raw.end-2] == '/' { ++ // Look for a self-closing token (e.g. <br/>). ++ // ++ // Originally, we did this by just checking that the last character of the ++ // tag (ignoring the closing bracket) was a solidus (/) character, but this ++ // is not always accurate. ++ // ++ // We need to be careful that we don't misinterpret a non-self-closing tag ++ // as self-closing, as can happen if the tag contains unquoted attribute ++ // values (i.e. <p a=/>). ++ // ++ // To avoid this, we check that the last non-bracket character of the tag ++ // (z.raw.end-2) isn't the same character as the last non-quote character of ++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has ++ // attributes. ++ nAttrs := len(z.attr) ++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) { + return SelfClosingTagToken + } + return StartTagToken +diff --git a/html/token_test.go b/html/token_test.go +index a36d112..44773f1 100644 +--- a/html/token_test.go ++++ b/html/token_test.go +@@ -616,6 +616,16 @@ var tokenTests = []tokenTest{ + `<p a/ ="">`, + `<p a="" =""="">`, + }, ++ { ++ "slash at end of unquoted attribute value", ++ `<p a="\">`, ++ `<p a="\">`, ++ }, ++ { ++ "self-closing tag with attribute", ++ `<p a=/>`, ++ `<p a="/">`, ++ }, + } + + func TestTokenizer(t *testing.T) { +@@ -815,6 +825,14 @@ func TestReaderEdgeCases(t *testing.T) { + } + } + ++func TestSelfClosingTagValueConfusion(t *testing.T) { ++ z := NewTokenizer(strings.NewReader(`<p a=/>`)) ++ tok := z.Next() ++ if tok != StartTagToken { ++ t.Fatalf("unexpected token type: got %s, want %s", tok, StartTagToken) ++ } ++} ++ + // zeroOneByteReader is like a strings.Reader that alternates between + // returning 0 bytes and 1 byte at a time. + type zeroOneByteReader struct { diff --git a/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch new file mode 100644 index 0000000..8c34cbb --- /dev/null +++ b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch @@ -0,0 +1,76 @@ +From: Roland Shoemaker <[email protected]> +Date: Wed, 4 Dec 2024 09:35:55 -0800 +Subject: html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI <[email protected]> +Auto-Submit: Gopher Robot <[email protected]> +Reviewed-by: Roland Shoemaker <[email protected]> +Reviewed-by: Tatiana Bradley <[email protected]> +--- + html/doctype.go | 2 +- + html/foreign.go | 3 +-- + html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/html/doctype.go b/html/doctype.go +index c484e5a..bca3ae9 100644 +--- a/html/doctype.go ++++ b/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd"; { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd";) { + quirks = true + } + } +diff --git a/html/foreign.go b/html/foreign.go +index 9da9e9d..e8515d8 100644 +--- a/html/foreign.go ++++ b/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/html/parse.go b/html/parse.go +index 46a89ed..5b8374b 100644 +--- a/html/parse.go ++++ b/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true diff --git a/debian/patches/series b/debian/patches/series index c4757ad..b1780b4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,4 @@ publicsuffix.patch +skip-publicsuffix-tests.patch +0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch +0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch diff --git a/debian/patches/skip-publicsuffix-tests.patch b/debian/patches/skip-publicsuffix-tests.patch new file mode 100644 index 0000000..c536674 --- /dev/null +++ b/debian/patches/skip-publicsuffix-tests.patch @@ -0,0 +1,78 @@ +From: Maytham Alsudany <[email protected]> +Date: Wed, 21 May 2025 10:45:21 +0200 +Subject: skip publicsuffix tests + +Bug-Debian: https://bugs.debian.org/1089192 +Forwarded: not-needed +Last-Update: 2025-05-03 + +These tests are hardcoded by upstream to check against parts of the test data, +but break when the test data is regenerated from the latest publicsuffix data, +which is constantly changing. + +This patch skips TestPublicSuffix, TestSlowPublicSuffix, TestNumICANNRules, +ExamplePublicSuffix_manager, and TestICANN, which are all affected by this +problem and resulted in test failures. +--- + publicsuffix/example_test.go | 4 +++- + publicsuffix/list_test.go | 4 ++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/publicsuffix/example_test.go b/publicsuffix/example_test.go +index c051dac..bc5f733 100644 +--- a/publicsuffix/example_test.go ++++ b/publicsuffix/example_test.go +@@ -7,6 +7,7 @@ package publicsuffix_test + import ( + "fmt" + "strings" ++ "testing" + + "golang.org/x/net/publicsuffix" + ) +@@ -17,7 +18,8 @@ import ( + // managed, or unmanaged (not explicitly in the PSL). + // + // See https://publicsuffix.org/ for the underlying PSL data. +-func ExamplePublicSuffix_manager() { ++func ExamplePublicSuffix_manager(t *testing.T) { ++ t.SkipNow() + domains := []string{ + "amazon.co.uk", + "books.amazon.co.uk", +diff --git a/publicsuffix/list_test.go b/publicsuffix/list_test.go +index 090c431..cf150ef 100644 +--- a/publicsuffix/list_test.go ++++ b/publicsuffix/list_test.go +@@ -62,6 +62,7 @@ func TestFind(t *testing.T) { + } + + func TestICANN(t *testing.T) { ++ t.SkipNow() + testCases := map[string]bool{ + "foo.org": true, + "foo.co.uk": true, +@@ -295,6 +296,7 @@ func BenchmarkPublicSuffix(b *testing.B) { + } + + func TestPublicSuffix(t *testing.T) { ++ t.SkipNow() + for _, tc := range publicSuffixTestCases { + gotPS, gotICANN := PublicSuffix(tc.domain) + if gotPS != tc.wantPS || gotICANN != tc.wantICANN { +@@ -304,6 +306,7 @@ func TestPublicSuffix(t *testing.T) { + } + + func TestSlowPublicSuffix(t *testing.T) { ++ t.SkipNow() + for _, tc := range publicSuffixTestCases { + gotPS, gotICANN := slowPublicSuffix(tc.domain) + if gotPS != tc.wantPS || gotICANN != tc.wantICANN { +@@ -313,6 +316,7 @@ func TestSlowPublicSuffix(t *testing.T) { + } + + func TestNumICANNRules(t *testing.T) { ++ t.SkipNow() + if numICANNRules <= 0 { + t.Fatal("no ICANN rules") + }
