Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gitea-tea for openSUSE:Factory checked in at 2025-10-09 15:07:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gitea-tea (Old) and /work/SRC/openSUSE:Factory/.gitea-tea.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gitea-tea" Thu Oct 9 15:07:07 2025 rev:12 rq:1309951 version:0.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/gitea-tea/gitea-tea.changes 2025-09-20 22:04:38.824097049 +0200 +++ /work/SRC/openSUSE:Factory/.gitea-tea.new.11973/gitea-tea.changes 2025-10-09 15:09:30.118214578 +0200 @@ -1,0 +2,6 @@ +Thu Oct 9 10:16:45 UTC 2025 - Richard Rahl <[email protected]> + +- add fix-CVE-2025-58190.patch, fixing bsc#1251663 +- add fix-CVE-2025-47911.patch, fixing bsc#1251471 + +------------------------------------------------------------------- New: ---- fix-CVE-2025-47911.patch fix-CVE-2025-58190.patch ----------(New B)---------- New:- add fix-CVE-2025-58190.patch, fixing bsc#1251663 - add fix-CVE-2025-47911.patch, fixing bsc#1251471 New: - add fix-CVE-2025-58190.patch, fixing bsc#1251663 - add fix-CVE-2025-47911.patch, fixing bsc#1251471 ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gitea-tea.spec ++++++ --- /var/tmp/diff_new_pack.qK9U5I/_old 2025-10-09 15:09:30.722240073 +0200 +++ /var/tmp/diff_new_pack.qK9U5I/_new 2025-10-09 15:09:30.726240242 +0200 @@ -1,6 +1,7 @@ # # spec file for package gitea-tea # +# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -24,6 +25,8 @@ URL: https://gitea.com/gitea/tea Source0: %{name}-%{version}.tar.gz Source1: vendor.tar.gz +Patch0: fix-CVE-2025-58190.patch +Patch1: fix-CVE-2025-47911.patch BuildRequires: golang(API) >= 1.24 Conflicts: tea ++++++ fix-CVE-2025-47911.patch ++++++ diff -rubN vendor/golang.org/x/net/html/escape.go vendor-patched/golang.org/x/net/html/escape.go --- a/vendor/golang.org/x/net/html/escape.go 2025-06-06 12:16:37.000000000 +0200 +++ b/vendor-patched/golang.org/x/net/html/escape.go 2025-10-09 10:38:44.325052734 +0200 @@ -299,7 +299,7 @@ case '\r': esc = " " default: - panic("unrecognized escape character") + panic("html: unrecognized escape character") } s = s[i+1:] if _, err := w.WriteString(esc); err != nil { diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go --- a/vendor/golang.org/x/net/html/parse.go 2025-10-09 10:39:56.705570069 +0200 +++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:38:59.062361676 +0200 @@ -231,7 +231,14 @@ } if n.Type == ElementNode { + p.insertOpenElement(n) + } +} + +func (p *parser) insertOpenElement(n *Node) { p.oe = append(p.oe, n) + if len(p.oe) > 512 { + panic("html: open stack of elements exceeds 512 nodes") } } @@ -810,7 +817,7 @@ p.im = inFramesetIM return true case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: - p.oe = append(p.oe, p.head) + p.insertOpenElement(p.head) defer p.oe.remove(p.head) return inHeadIM(p) case a.Head: @@ -2324,9 +2331,13 @@ } } -func (p *parser) parse() error { +func (p *parser) parse() (err error) { + defer func() { + if panicErr := recover(); panicErr != nil { + err = fmt.Errorf("%s", panicErr) + } + }() // Iterate until EOF. Any other error will cause an early return. - var err error for err != io.EOF { // CDATA sections are allowed only in foreign content. n := p.oe.top() @@ -2355,6 +2366,8 @@ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped, // with no corresponding node in the resulting tree. // +// Parse will reject HTML that is nested deeper than 512 elements. +// // The input is assumed to be UTF-8 encoded. func Parse(r io.Reader) (*Node, error) { return ParseWithOptions(r) ++++++ fix-CVE-2025-58190.patch ++++++ diff -rubN vendor/golang.org/x/net/html/parse.go vendor-patched/golang.org/x/net/html/parse.go --- a/vendor/golang.org/x/net/html/parse.go 2025-06-06 12:16:37.000000000 +0200 +++ b/vendor-patched/golang.org/x/net/html/parse.go 2025-10-09 10:12:41.984298856 +0200 @@ -136,7 +136,7 @@ return -1 } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) } } switch s { @@ -179,7 +179,7 @@ return } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) } } } @@ -1678,7 +1678,7 @@ return inTableIM(p) } -// Section 12.2.6.4.14. +// Section 13.2.6.4.14. func inRowIM(p *parser) bool { switch p.tok.Type { case StartTagToken: @@ -1690,7 +1690,9 @@ p.im = inCellIM return true case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } @@ -1700,22 +1702,28 @@ case EndTagToken: switch p.tok.DataAtom { case a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return true } // Ignore the token. return true case a.Table: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } // Ignore the token. return true case a.Tbody, a.Tfoot, a.Thead: - if p.elementInScope(tableScope, p.tok.DataAtom) { - p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) + if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() + p.im = inTableBodyIM return false } // Ignore the token. @@ -2222,16 +2230,20 @@ p.acknowledgeSelfClosingTag() } case EndTagToken: - for i := len(p.oe) - 1; i >= 0; i-- { - if p.oe[i].Namespace == "" { - return p.im(p) + if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { + p.oe = p.oe[:len(p.oe)-1] + return true } + for i := len(p.oe) - 1; i >= 0; i-- { if strings.EqualFold(p.oe[i].Data, p.tok.Data) { p.oe = p.oe[:i] + return true + } + if i > 0 && p.oe[i-1].Namespace == "" { break } } - return true + return p.im(p) default: // Ignore the token. }
