Your message dated Thu, 27 Jun 2019 11:58:06 +0200 with message-id <da404f4b-1c22-f82d-a694-03200c0b0832@debian.org> and subject line Re: Bug#928227: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3 has caused the Debian Bug report #928227, regarding unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 928227: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928227 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
- From: Drew Parsons <dparsons@debian.org>
- Date: Tue, 30 Apr 2019 17:07:57 +0800
- Message-id: <155661527720.11755.12946865232627914689.reportbug@grendel.emerall.com>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package golang-golang-x-net-dev Upstream has provided patches addressing security issues CVE-2018-17846 / CVE-2018-17847 / CVE-2018-17848 (Debian bug #911795). This upload applies those patches. $ debdiff golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-2.dsc golang-golang-x-net-dev_0.0+git20181201.351d144+dfsg-3.dsc diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog --- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog 2018-12-14 21:56:28.000000000 +0800 +++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/changelog 2019-04-30 16:42:08.000000000 +0800 @@ -1,3 +1,13 @@ +golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-3) unstable; urgency=medium + + * Team upload. + * Apply security patches (upstream commits). Closes: #911795. + - CVE-2018-17846: commit d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf + - CVE-2018-17847, CVE-2018-17848: + commit 4b62a64f59f73840b9ab79204c94fee61cd1ba2c + + -- Drew Parsons <dparsons@debian.org> Tue, 30 Apr 2019 16:42:08 +0800 + golang-golang-x-net-dev (1:0.0+git20181201.351d144+dfsg-2) unstable; urgency=medium * Remove obsolete patch for s390. Closes: #916236. diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch --- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17846_d26f9f9.patch 2019-04-30 16:42:08.000000000 +0800 @@ -0,0 +1,108 @@ +From d26f9f9a57f3fab6a695bec0d84433c2c50f8bbf Mon Sep 17 00:00:00 2001 +From: Kunpei Sakai <namusyaka@gmail.com> +Date: Tue, 25 Sep 2018 22:55:50 +0900 +Subject: [PATCH] html: update inSelectIM and inSelectInTableIM for the latest + spec + +Fixes golang/go#27842 + +Change-Id: I06eb3c0c18be3566bd30a29fca5f3f7e6791d2cc +Reviewed-on: https://go-review.googlesource.com/c/137275 +Run-TryBot: Kunpei Sakai <namusyaka@gmail.com> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Nigel Tao <nigeltao@golang.org> +--- + html/parse.go | 28 ++++++++++++++++++++++------ + html/parse_test.go | 3 ++- + html/testdata/go/select.dat | 12 ++++++++++++ + 3 files changed, 36 insertions(+), 7 deletions(-) + create mode 100644 html/testdata/go/select.dat + +diff --git a/html/parse.go b/html/parse.go +index 64a57937..488e8d3c 100644 +--- a/html/parse.go ++++ b/html/parse.go +@@ -1719,8 +1719,12 @@ func inSelectIM(p *parser) bool { + } + p.addElement() + case a.Select: +- p.tok.Type = EndTagToken +- return false ++ if p.popUntil(selectScope, a.Select) { ++ p.resetInsertionMode() ++ } else { ++ // Ignore the token. ++ return true ++ } + case a.Input, a.Keygen, a.Textarea: + if p.elementInScope(selectScope, a.Select) { + p.parseImpliedToken(EndTagToken, a.Select, a.Select.String()) +@@ -1750,6 +1754,9 @@ func inSelectIM(p *parser) bool { + case a.Select: + if p.popUntil(selectScope, a.Select) { + p.resetInsertionMode() ++ } else { ++ // Ignore the token. ++ return true + } + case a.Template: + return inHeadIM(p) +@@ -1775,13 +1782,22 @@ func inSelectInTableIM(p *parser) bool { + case StartTagToken, EndTagToken: + switch p.tok.DataAtom { + case a.Caption, a.Table, a.Tbody, a.Tfoot, a.Thead, a.Tr, a.Td, a.Th: +- if p.tok.Type == StartTagToken || p.elementInScope(tableScope, p.tok.DataAtom) { +- p.parseImpliedToken(EndTagToken, a.Select, a.Select.String()) +- return false +- } else { ++ if p.tok.Type == EndTagToken && !p.elementInScope(tableScope, p.tok.DataAtom) { + // Ignore the token. + return true + } ++ // This is like p.popUntil(selectScope, a.Select), but it also ++ // matches <math select>, not just <select>. Matching the MathML ++ // tag is arguably incorrect (conceptually), but it mimics what ++ // Chromium does. ++ for i := len(p.oe) - 1; i >= 0; i-- { ++ if n := p.oe[i]; n.DataAtom == a.Select { ++ p.oe = p.oe[:i] ++ break ++ } ++ } ++ p.resetInsertionMode() ++ return false + } + } + return inSelectIM(p) +diff --git a/html/parse_test.go b/html/parse_test.go +index 1c232c71..9bba918c 100644 +--- a/html/parse_test.go ++++ b/html/parse_test.go +@@ -367,7 +367,8 @@ var renderTestBlacklist = map[string]bool{ + `<script><!--<script </s`: true, + // Reconstructing the active formatting elements results in a <plaintext> + // element that contains an <a> element. +- `<!doctype html><p><a><plaintext>b`: true, ++ `<!doctype html><p><a><plaintext>b`: true, ++ `<table><math><select><mi><select></table>`: true, + } + + func TestNodeConsistency(t *testing.T) { +diff --git a/html/testdata/go/select.dat b/html/testdata/go/select.dat +new file mode 100644 +index 00000000..684554c8 +--- /dev/null ++++ b/html/testdata/go/select.dat +@@ -0,0 +1,12 @@ ++#data ++<table><math><select><mi><select></table> ++#errors ++#document ++| <html> ++| <head> ++| <body> ++| <math math> ++| <math select> ++| <math mi> ++| <select> ++| <table> diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch --- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch 1970-01-01 08:00:00.000000000 +0800 +++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/CVE-2018-17847_CVE-2018-17848_4b62a64.patch 2019-04-30 16:42:08.000000000 +0800 @@ -0,0 +1,67 @@ +From 4b62a64f59f73840b9ab79204c94fee61cd1ba2c Mon Sep 17 00:00:00 2001 +From: Kunpei Sakai <namusyaka@gmail.com> +Date: Fri, 25 Jan 2019 02:28:59 +0900 +Subject: [PATCH] html: make (*nodeStack)contains distinguish namespace + +By proceeding without distinguishing namespace, inconsistency will +occur. +This commit makes the method distinguish the HTML namespace. + +Fixes golang/go#27846 + +Change-Id: I8269f670240c0fe31162a16fbe1ac23acacec00f +Reviewed-on: https://go-review.googlesource.com/c/159397 +Run-TryBot: Kunpei Sakai <namusyaka@gmail.com> +TryBot-Result: Gobot Gobot <gobot@golang.org> +Reviewed-by: Nigel Tao <nigeltao@golang.org> +--- + html/node.go | 2 +- + html/testdata/go/template.dat | 25 +++++++++++++++++++++++++ + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/html/node.go b/html/node.go +index 2c1cade6..633ee15d 100644 +--- a/html/node.go ++++ b/html/node.go +@@ -177,7 +177,7 @@ func (s *nodeStack) index(n *Node) int { + // contains returns whether a is within s. + func (s *nodeStack) contains(a atom.Atom) bool { + for _, n := range *s { +- if n.DataAtom == a { ++ if n.DataAtom == a && n.Namespace == "" { + return true + } + } +diff --git a/html/testdata/go/template.dat b/html/testdata/go/template.dat +index 98481b9e..ceaf0229 100644 +--- a/html/testdata/go/template.dat ++++ b/html/testdata/go/template.dat +@@ -35,3 +35,28 @@ + | <math mo> + | <template> + | content ++ ++#data ++<svg><template><desc><t><svg></template> ++#errors ++#document ++| <html> ++| <head> ++| <body> ++| <svg svg> ++| <svg template> ++| <svg desc> ++| <t> ++| <svg svg> ++ ++#data ++<math><template><mn><b></template> ++#errors ++#document ++| <html> ++| <head> ++| <body> ++| <math math> ++| <math template> ++| <math mn> ++| <b> diff -Nru golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series --- golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series 1970-01-01 08:00:00.000000000 +0800 +++ golang-golang-x-net-dev-0.0+git20181201.351d144+dfsg/debian/patches/series 2019-04-30 16:42:08.000000000 +0800 @@ -0,0 +1,2 @@ +CVE-2018-17846_d26f9f9.patch +CVE-2018-17847_CVE-2018-17848_4b62a64.patch unblock golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3 -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: dparsons@debian.org, 928227-done@bugs.debian.org
- Cc: Shengjing Zhu <zhsj@debian.org>, "Dr. Tobias Quathamer" <toddy@debian.org>
- Subject: Re: Bug#928227: unblock: golang-golang-x-net-dev/1:0.0+git20181201.351d144+dfsg-3
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 27 Jun 2019 11:58:06 +0200
- Message-id: <da404f4b-1c22-f82d-a694-03200c0b0832@debian.org>
- Reply-to: Paul Gevers <elbrus@debian.org>, 928227@bugs.debian.org
- In-reply-to: <[🔎] a367413f-7116-f817-ca9d-e479dd9e2999@debian.org>
- References: <[🔎] d1fe4d1e5c5f4c84ed180015bd49c114@debian.org> <155661527720.11755.12946865232627914689.reportbug@grendel.emerall.com> <[🔎] a367413f-7116-f817-ca9d-e479dd9e2999@debian.org>
Hi On 18-06-2019 19:01, Paul Gevers wrote: > The > golang-golang-x-net-dev update isn't available in coyim, rkt and > singularity-container yet. Hence, this bug isn't closed yet. coyim, rkt and singularity-container are (being) removed from buster. So this bug can be closed. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---