Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: z...@debian.org
Please unblock package golang-golang-x-net [ Reason ] Backport patch for CVE-2021-33194 x/net/html: infinite loop in ParseFragment [ Impact ] It fixes security issues. [ Tests ] Upstream has added a unit test for the issue in the patch. [ Risks ] + Diff is small + Key package [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Need rebuild packages which have built-using with old version of golang-golang-x-net unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4 diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-05-08 12:12:17.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-05-22 22:01:02.000000000 +0800 @@ -1,3 +1,11 @@ +golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-4) unstable; urgency=medium + + * Team upload. + * Backport patch for CVE-2021-33194 + x/net/html: infinite loop in ParseFragment + + -- Shengjing Zhu <z...@debian.org> Sat, 22 May 2021 22:01:02 +0800 + golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium * Team upload. diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch 2021-05-22 22:01:02.000000000 +0800 @@ -0,0 +1,114 @@ +From: Nigel Tao <nigel...@golang.org> +Date: Sun, 18 Apr 2021 21:15:27 +1000 +Subject: html: ignore templates nested within foreign content + +Fixes #46288 +Fixes CVE-2021-33194 + +Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056 +Reviewed-on: https://go-review.googlesource.com/c/net/+/311090 +Reviewed-by: Filippo Valsorda <fili...@golang.org> +Run-TryBot: Filippo Valsorda <fili...@golang.org> +Trust: Roland Shoemaker <rol...@golang.org> +TryBot-Result: Go Bot <go...@golang.org> +--- + html/parse.go | 24 +++++++++++++++++++++++- + html/parse_test.go | 22 ++++++++++++++++++++++ + 2 files changed, 45 insertions(+), 1 deletion(-) + +diff --git a/html/parse.go b/html/parse.go +index f91466f..038941d 100644 +--- a/html/parse.go ++++ b/html/parse.go +@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool { + // Ignore the token. + return true + case a.Template: ++ // TODO: remove this divergence from the HTML5 spec. ++ // ++ // We don't handle all of the corner cases when mixing foreign ++ // content (i.e. <math> or <svg>) with <template>. Without this ++ // early return, we can get into an infinite loop, possibly because ++ // of the "TODO... further divergence" a little below. ++ // ++ // As a workaround, if we are mixing foreign content and templates, ++ // just ignore the rest of the HTML. Foreign content is rare and a ++ // relatively old HTML feature. Templates are also rare and a ++ // relatively new HTML feature. Their combination is very rare. ++ for _, e := range p.oe { ++ if e.Namespace != "" { ++ p.im = ignoreTheRemainingTokens ++ return true ++ } ++ } ++ + p.addElement() + p.afe = append(p.afe, &scopeMarker) + p.framesetOK = false +@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool { + if !p.oe.contains(a.Template) { + return true + } +- // TODO: remove this divergence from the HTML5 spec. ++ // TODO: remove this further divergence from the HTML5 spec. + // + // See https://bugs.chromium.org/p/chromium/issues/detail?id=829668 + p.generateImpliedEndTags() +@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool { + return true + } + ++func ignoreTheRemainingTokens(p *parser) bool { ++ return true ++} ++ + const whitespaceOrNUL = whitespace + "\x00" + + // Section 12.2.6.5 +diff --git a/html/parse_test.go b/html/parse_test.go +index 58dce5f..019333d 100644 +--- a/html/parse_test.go ++++ b/html/parse_test.go +@@ -267,6 +267,9 @@ func TestParser(t *testing.T) { + if err != nil { + t.Fatal(err) + } ++ if parseTestBlacklist[ta.text] { ++ continue ++ } + + err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting)) + +@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error) + return nil + } + ++// Some test inputs are simply skipped - we would otherwise fail the test. We ++// blacklist such inputs from the parse test. ++var parseTestBlacklist = map[string]bool{ ++ // See the a.Template TODO in inHeadIM. ++ `<math><template><mo><template>`: true, ++ `<template><svg><foo><template><foreignObject><div></template><div>`: true, ++} ++ + // Some test input result in parse trees are not 'well-formed' despite + // following the HTML5 recovery algorithms. Rendering and re-parsing such a + // tree will not result in an exact clone of that tree. We blacklist such +@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) { + ParseFragment(strings.NewReader("<p>hello</p>"), nil) + } + ++func TestParseFragmentForeignContentTemplates(t *testing.T) { ++ srcs := []string{ ++ "<math><html><template><mn><template></template></template>", ++ "<math><math><head><mi><template>", ++ } ++ for _, src := range srcs { ++ // The next line shouldn't infinite-loop. ++ ParseFragment(strings.NewReader(src), nil) ++ } ++} ++ + func BenchmarkParser(b *testing.B) { + buf, err := ioutil.ReadFile("testdata/go1.html") + if err != nil { diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series --- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2021-05-08 12:12:17.000000000 +0800 +++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2021-05-22 22:01:02.000000000 +0800 @@ -1,2 +1,3 @@ publicsuffix.patch CVE-2021-31525.patch +CVE-2021-33194.patch