Bug#928227: marked as done (unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3)

To: Paul Gevers <elbrus@debian.org>, 928227@bugs.debian.org
Subject: Bug#928227: marked as done (unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 27 Jun 2019 10:03:07 +0000
Message-id: <[🔎] handler.928227.D928227.156162949028458.ackdone@bugs.debian.org>
Reply-to: 928227@bugs.debian.org
References: <da404f4b-1c22-f82d-a694-03200c0b0832@debian.org> <155661527720.11755.12946865232627914689.reportbug@grendel.emerall.com>

Your message dated Thu, 27 Jun 2019 11:58:06 +0200
with message-id <da404f4b-1c22-f82d-a694-03200c0b0832@debian.org>
and subject line Re: Bug#928227: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
has caused the Debian Bug report #928227,
regarding unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928227
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
From: Drew Parsons <dparsons@debian.org>
Date: Tue, 30 Apr 2019 17:07:57 +0800
Message-id: <155661527720.11755.12946865232627914689.reportbug@grendel.emerall.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package golang-golang-x-net-dev

Upstream has provided patches addressing security issues 
CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848
(Debian bug #911795).

This upload applies those patches.


$ debdiff  golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-2.dsc  golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc
diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog	2018-12-14 21:56:28.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog	2019-04-30 16:42:08.000000000 +0800
@@ -1,3 +1,13 @@
+golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-3) unstable; urgency=medium
+
+  * Team upload.
+  * Apply security patches (upstream commits). Closes: #911795.
+    - CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf
+    - CVE-2018-17847, CVE-2018-17848:
+      commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c
+
+ -- Drew Parsons <dparsons@debian.org>  Tue, 30 Apr 2019 16:42:08 +0800
+
 golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-2) unstable; urgency=medium
 
   * Remove obsolete patch for s390. Closes: #916236.
diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch	2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,108 @@
+From d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf Mon Sep 17 00:00:00 2001
+From: Kunpei Sakai <namusyaka@gmail.com>
+Date: Tue, 25 Sep 2018 22:55:50 +0900
+Subject: [PATCH] html: update inSelectIM and inSelectInTableIM for the latest
+ spec
+
+Fixes golang/go#27842
+
+Change-Id: I06eb3c0c18be3566bd30a29fca5f3f7e6791d2cc
+Reviewed-on: https://go-review.googlesource.com/c/137275
+Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Nigel Tao <nigeltao@golang.org>
+---
+ html/parse.go               | 28 ++++++++++++++++++++++------
+ html/parse_test.go          |  3 ++-
+ html/testdata/go/select.dat | 12 ++++++++++++
+ 3 files changed, 36 insertions(+), 7 deletions(-)
+ create mode 100644 html/testdata/go/select.dat
+
+diff --git a/html/parse.go b/html/parse.go
+index 64a57937..488e8d3c 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -1719,8 +1719,12 @@ func inSelectIM(p *parser) bool {
+ 			}
+ 			p.addElement()
+ 		case a.Select:
+-			p.tok.Type = EndTagToken
+-			return false
++			if p.popUntil(selectScope, a.Select) {
++				p.resetInsertionMode()
++			} else {
++				// Ignore the token.
++				return true
++			}
+ 		case a.Input, a.Keygen, a.Textarea:
+ 			if p.elementInScope(selectScope, a.Select) {
+ 				p.parseImpliedToken(EndTagToken, a.Select, a.Select.String())
+@@ -1750,6 +1754,9 @@ func inSelectIM(p *parser) bool {
+ 		case a.Select:
+ 			if p.popUntil(selectScope, a.Select) {
+ 				p.resetInsertionMode()
++			} else {
++				// Ignore the token.
++				return true
+ 			}
+ 		case a.Template:
+ 			return inHeadIM(p)
+@@ -1775,13 +1782,22 @@ func inSelectInTableIM(p *parser) bool {
+ 	case StartTagToken, EndTagToken:
+ 		switch p.tok.DataAtom {
+ 		case a.Caption, a.Table, a.Tbody, a.Tfoot, a.Thead, a.Tr, a.Td, a.Th:
+-			if p.tok.Type == StartTagToken || p.elementInScope(tableScope, p.tok.DataAtom) {
+-				p.parseImpliedToken(EndTagToken, a.Select, a.Select.String())
+-				return false
+-			} else {
++			if p.tok.Type == EndTagToken && !p.elementInScope(tableScope, p.tok.DataAtom) {
+ 				// Ignore the token.
+ 				return true
+ 			}
++			// This is like p.popUntil(selectScope, a.Select), but it also
++			// matches <math select>, not just <select>. Matching the MathML
++			// tag is arguably incorrect (conceptually), but it mimics what
++			// Chromium does.
++			for i := len(p.oe) - 1; i >= 0; i-- {
++				if n := p.oe[i]; n.DataAtom == a.Select {
++					p.oe = p.oe[:i]
++					break
++				}
++			}
++			p.resetInsertionMode()
++			return false
+ 		}
+ 	}
+ 	return inSelectIM(p)
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 1c232c71..9bba918c 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -367,7 +367,8 @@ var renderTestBlacklist = map[string]bool{
+ 	`<script><!--<script </s`:                      true,
+ 	// Reconstructing the active formatting elements results in a <plaintext>
+ 	// element that contains an <a> element.
+-	`<!doctype html><p><a><plaintext>b`: true,
++	`<!doctype html><p><a><plaintext>b`:         true,
++	`<table><math><select><mi><select></table>`: true,
+ }
+ 
+ func TestNodeConsistency(t *testing.T) {
+diff --git a/html/testdata/go/select.dat b/html/testdata/go/select.dat
+new file mode 100644
+index 00000000..684554c8
+--- /dev/null
++++ b/html/testdata/go/select.dat
+@@ -0,0 +1,12 @@
++#data
++<table><math><select><mi><select></table>
++#errors
++#document
++| <html>
++|   <head>
++|   <body>
++|     <math math>
++|       <math select>
++|         <math mi>
++|           <select>
++|     <table>
diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch	2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,67 @@
+From 4b62a64f59f73840b9ab79204c94fee61cd1ba2c Mon Sep 17 00:00:00 2001
+From: Kunpei Sakai <namusyaka@gmail.com>
+Date: Fri, 25 Jan 2019 02:28:59 +0900
+Subject: [PATCH] html: make (*nodeStack)contains distinguish namespace
+
+By proceeding without distinguishing namespace, inconsistency will
+occur.
+This commit makes the method distinguish the HTML namespace.
+
+Fixes golang/go#27846
+
+Change-Id: I8269f670240c0fe31162a16fbe1ac23acacec00f
+Reviewed-on: https://go-review.googlesource.com/c/159397
+Run-TryBot: Kunpei Sakai <namusyaka@gmail.com>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Nigel Tao <nigeltao@golang.org>
+---
+ html/node.go                  |  2 +-
+ html/testdata/go/template.dat | 25 +++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/html/node.go b/html/node.go
+index 2c1cade6..633ee15d 100644
+--- a/html/node.go
++++ b/html/node.go
+@@ -177,7 +177,7 @@ func (s *nodeStack) index(n *Node) int {
+ // contains returns whether a is within s.
+ func (s *nodeStack) contains(a atom.Atom) bool {
+ 	for _, n := range *s {
+-		if n.DataAtom == a {
++		if n.DataAtom == a && n.Namespace == "" {
+ 			return true
+ 		}
+ 	}
+diff --git a/html/testdata/go/template.dat b/html/testdata/go/template.dat
+index 98481b9e..ceaf0229 100644
+--- a/html/testdata/go/template.dat
++++ b/html/testdata/go/template.dat
+@@ -35,3 +35,28 @@
+ |         <math mo>
+ |           <template>
+ |             content
++
++#data
++<svg><template><desc><t><svg></template>
++#errors
++#document
++| <html>
++|   <head>
++|   <body>
++|     <svg svg>
++|       <svg template>
++|         <svg desc>
++|           <t>
++|             <svg svg>
++
++#data
++<math><template><mn><b></template>
++#errors
++#document
++| <html>
++|   <head>
++|   <body>
++|     <math math>
++|       <math template>
++|         <math mn>
++|           <b>
diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series
--- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series	2019-04-30 16:42:08.000000000 +0800
@@ -0,0 +1,2 @@
+CVE-2018-17846_d26f9f9.patch
+CVE-2018-17847_CVE-2018-17848_4b62a64.patch



unblock golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

To: dparsons@debian.org, 928227-done@bugs.debian.org

Cc: Shengjing Zhu <zhsj@debian.org>, "Dr. Tobias Quathamer" <toddy@debian.org>

Subject: Re: Bug#928227: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3

From: Paul Gevers <elbrus@debian.org>

Date: Thu, 27 Jun 2019 11:58:06 +0200

Message-id: <da404f4b-1c22-f82d-a694-03200c0b0832@debian.org>

Reply-to: Paul Gevers <elbrus@debian.org>, 928227@bugs.debian.org

In-reply-to: <[🔎] a367413f-7116-f817-ca9d-e479dd9e2999@debian.org>

References: <[🔎] d1fe4d1e5c5f4c84ed180015bd49c114@debian.org> <155661527720.11755.12946865232627914689.reportbug@grendel.emerall.com> <[🔎] a367413f-7116-f817-ca9d-e479dd9e2999@debian.org>
Hi

On 18-06-2019 19:01, Paul Gevers wrote:
> The
> golang-golang-x-net-dev update isn't available in coyim, rkt and
> singularity-container yet. Hence, this bug isn't closed yet.

coyim, rkt and singularity-container are (being) removed from buster. So
this bug can be closed.

Paul
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#929011: marked as done (unblock: singularity-container/3.1.1+ds-1)
Next by Date: Bug#928368: marked as done (transition: papi)
Previous by thread: Bug#929011: marked as done (unblock: singularity-container/3.1.1+ds-1)
Next by thread: Bug#928368: marked as done (transition: papi)
Index(es):
- Date
- Thread