Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package glow for openSUSE:Factory checked in at 2025-10-08 18:27:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glow (Old) and /work/SRC/openSUSE:Factory/.glow.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glow" Wed Oct 8 18:27:03 2025 rev:8 rq:1309824 version:2.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/glow/glow.changes 2025-06-05 20:36:42.567206573 +0200 +++ /work/SRC/openSUSE:Factory/.glow.new.11973/glow.changes 2025-10-08 18:27:05.038036760 +0200 @@ -1,0 +2,13 @@ +Wed Oct 8 15:21:38 UTC 2025 - [email protected] + +- Add fix-CVE-2025-47911_CVE-2025-58190.patch + * Fix "html: impose open element stack size limit" + - CVE-2025-47911 (gh#golang/go#75682) (bsc#1251462) + - https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d + * Fix "html: align in row insertion mode with spec" + - CVE-2025-58190 (gh#golang/go#70179) (bsc#1251720) + - https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009 + * The patch was created using a diff from golang.org/x/net + version 0.40.0 to version 0.45.0 + +------------------------------------------------------------------- New: ---- fix-CVE-2025-47911_CVE-2025-58190.patch ----------(New B)---------- New: - Add fix-CVE-2025-47911_CVE-2025-58190.patch * Fix "html: impose open element stack size limit" ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glow.spec ++++++ --- /var/tmp/diff_new_pack.Jdx8A4/_old 2025-10-08 18:27:06.954117154 +0200 +++ /var/tmp/diff_new_pack.Jdx8A4/_new 2025-10-08 18:27:06.974117993 +0200 @@ -1,7 +1,7 @@ # # spec file for package glow # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,7 @@ # vendoring obtained by `osc service manualrun`. See README.suse-maint.md for details. Source1: vendor.tar.zst Source2: README.suse-maint.md +Source3: fix-CVE-2025-47911_CVE-2025-58190.patch BuildRequires: golang-packaging BuildRequires: zstd BuildRequires: golang(API) >= 1.23 @@ -76,7 +77,8 @@ Zsh command-line completion support for %{name}. %prep -%autosetup -p1 -a1 +%autosetup -a1 -p1 +patch -d vendor/golang.org/x/net/ -p1 -i %{SOURCE3} %build %ifnarch ppc64 ++++++ fix-CVE-2025-47911_CVE-2025-58190.patch ++++++ diff -rup vendor/golang.org/x/net/html/escape.go net-0.45.0/html/escape.go --- vendor/golang.org/x/net/html/escape.go 2025-05-30 14:58:41.000000000 +0200 +++ net-0.45.0/html/escape.go 2025-10-07 20:18:01.000000000 +0200 @@ -299,7 +299,7 @@ func escape(w writer, s string) error { case '\r': esc = " " default: - panic("unrecognized escape character") + panic("html: unrecognized escape character") } s = s[i+1:] if _, err := w.WriteString(esc); err != nil { diff -rup vendor/golang.org/x/net/html/parse.go net-0.45.0/html/parse.go --- vendor/golang.org/x/net/html/parse.go 2025-05-30 14:58:41.000000000 +0200 +++ net-0.45.0/html/parse.go 2025-10-07 20:18:01.000000000 +0200 @@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s return -1 } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s)) } } switch s { @@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s s return } default: - panic("unreachable") + panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s)) } } } @@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) { } if n.Type == ElementNode { - p.oe = append(p.oe, n) + p.insertOpenElement(n) + } +} + +func (p *parser) insertOpenElement(n *Node) { + p.oe = append(p.oe, n) + if len(p.oe) > 512 { + panic("html: open stack of elements exceeds 512 nodes") } } @@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool { p.im = inFramesetIM return true case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: - p.oe = append(p.oe, p.head) + p.insertOpenElement(p.head) defer p.oe.remove(p.head) return inHeadIM(p) case a.Head: @@ -1678,7 +1685,7 @@ func inTableBodyIM(p *parser) bool { return inTableIM(p) } -// Section 12.2.6.4.14. +// Section 13.2.6.4.14. func inRowIM(p *parser) bool { switch p.tok.Type { case StartTagToken: @@ -1690,7 +1697,9 @@ func inRowIM(p *parser) bool { p.im = inCellIM return true case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } @@ -1700,22 +1709,28 @@ func inRowIM(p *parser) bool { case EndTagToken: switch p.tok.DataAtom { case a.Tr: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return true } // Ignore the token. return true case a.Table: - if p.popUntil(tableScope, a.Tr) { + if p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() p.im = inTableBodyIM return false } // Ignore the token. return true case a.Tbody, a.Tfoot, a.Thead: - if p.elementInScope(tableScope, p.tok.DataAtom) { - p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String()) + if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) { + p.clearStackToContext(tableRowScope) + p.oe.pop() + p.im = inTableBodyIM return false } // Ignore the token. @@ -2222,16 +2237,20 @@ func parseForeignContent(p *parser) bool p.acknowledgeSelfClosingTag() } case EndTagToken: + if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) { + p.oe = p.oe[:len(p.oe)-1] + return true + } for i := len(p.oe) - 1; i >= 0; i-- { - if p.oe[i].Namespace == "" { - return p.im(p) - } if strings.EqualFold(p.oe[i].Data, p.tok.Data) { p.oe = p.oe[:i] + return true + } + if i > 0 && p.oe[i-1].Namespace == "" { break } } - return true + return p.im(p) default: // Ignore the token. } @@ -2312,9 +2331,13 @@ func (p *parser) parseCurrentToken() { } } -func (p *parser) parse() error { +func (p *parser) parse() (err error) { + defer func() { + if panicErr := recover(); panicErr != nil { + err = fmt.Errorf("%s", panicErr) + } + }() // Iterate until EOF. Any other error will cause an early return. - var err error for err != io.EOF { // CDATA sections are allowed only in foreign content. n := p.oe.top() @@ -2343,6 +2366,8 @@ func (p *parser) parse() error { // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped, // with no corresponding node in the resulting tree. // +// Parse will reject HTML that is nested deeper than 512 elements. +// // The input is assumed to be UTF-8 encoded. func Parse(r io.Reader) (*Node, error) { return ParseWithOptions(r) diff -rup vendor/golang.org/x/net/html/render.go net-0.45.0/html/render.go --- vendor/golang.org/x/net/html/render.go 2025-05-30 14:58:41.000000000 +0200 +++ net-0.45.0/html/render.go 2025-10-07 20:18:01.000000000 +0200 @@ -184,7 +184,7 @@ func render1(w writer, n *Node) error { return err } - // Add initial newline where there is danger of a newline beging ignored. + // Add initial newline where there is danger of a newline being ignored. if c := n.FirstChild; c != nil && c.Type == TextNode && strings.HasPrefix(c.Data, "\n") { switch n.Data { case "pre", "listing", "textarea":
