Bug#988983: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988983: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
From: Shengjing Zhu <zhsj@debian.org>
Date: Sat, 22 May 2021 22:17:31 +0800
Message-id: <[🔎] YKkSe56ndenPaMyY@local.zhsj.me>
Reply-to: Shengjing Zhu <zhsj@debian.org>, 988983@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-golang-x-net

[ Reason ]
Backport patch for CVE-2021-33194
x/net/html: infinite loop in ParseFragment

[ Impact ]
It fixes security issues.

[ Tests ]
Upstream has added a unit test for the issue in the patch.

[ Risks ]
+ Diff is small
+ Key package

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Need rebuild packages which have built-using with old version of
golang-golang-x-net

unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4


diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-22 22:01:02.000000000 +0800
@@ -1,3 +1,11 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-4) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-33194
+    x/net/html: infinite loop in ParseFragment
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 22 May 2021 22:01:02 +0800
+
 golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch	2021-05-22 22:01:02.000000000 +0800
@@ -0,0 +1,114 @@
+From: Nigel Tao <nigeltao@golang.org>
+Date: Sun, 18 Apr 2021 21:15:27 +1000
+Subject: html: ignore templates nested within foreign content
+
+Fixes #46288
+Fixes CVE-2021-33194
+
+Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
+Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+---
+ html/parse.go      | 24 +++++++++++++++++++++++-
+ html/parse_test.go | 22 ++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/html/parse.go b/html/parse.go
+index f91466f..038941d 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
+ 			// Ignore the token.
+ 			return true
+ 		case a.Template:
++			// TODO: remove this divergence from the HTML5 spec.
++			//
++			// We don't handle all of the corner cases when mixing foreign
++			// content (i.e. <math> or <svg>) with <template>. Without this
++			// early return, we can get into an infinite loop, possibly because
++			// of the "TODO... further divergence" a little below.
++			//
++			// As a workaround, if we are mixing foreign content and templates,
++			// just ignore the rest of the HTML. Foreign content is rare and a
++			// relatively old HTML feature. Templates are also rare and a
++			// relatively new HTML feature. Their combination is very rare.
++			for _, e := range p.oe {
++				if e.Namespace != "" {
++					p.im = ignoreTheRemainingTokens
++					return true
++				}
++			}
++
+ 			p.addElement()
+ 			p.afe = append(p.afe, &scopeMarker)
+ 			p.framesetOK = false
+@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
+ 			if !p.oe.contains(a.Template) {
+ 				return true
+ 			}
+-			// TODO: remove this divergence from the HTML5 spec.
++			// TODO: remove this further divergence from the HTML5 spec.
+ 			//
+ 			// See https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+ 			p.generateImpliedEndTags()
+@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
+ 	return true
+ }
+ 
++func ignoreTheRemainingTokens(p *parser) bool {
++	return true
++}
++
+ const whitespaceOrNUL = whitespace + "\x00"
+ 
+ // Section 12.2.6.5
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 58dce5f..019333d 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
+ 				if err != nil {
+ 					t.Fatal(err)
+ 				}
++				if parseTestBlacklist[ta.text] {
++					continue
++				}
+ 
+ 				err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting))
+ 
+@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error)
+ 	return nil
+ }
+ 
++// Some test inputs are simply skipped - we would otherwise fail the test. We
++// blacklist such inputs from the parse test.
++var parseTestBlacklist = map[string]bool{
++	// See the a.Template TODO in inHeadIM.
++	`<math><template><mo><template>`:                                     true,
++	`<template><svg><foo><template><foreignObject><div></template><div>`: true,
++}
++
+ // Some test input result in parse trees are not 'well-formed' despite
+ // following the HTML5 recovery algorithms. Rendering and re-parsing such a
+ // tree will not result in an exact clone of that tree. We blacklist such
+@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
+ 	ParseFragment(strings.NewReader("<p>hello</p>"), nil)
+ }
+ 
++func TestParseFragmentForeignContentTemplates(t *testing.T) {
++	srcs := []string{
++		"<math><html><template><mn><template></template></template>",
++		"<math><math><head><mi><template>",
++	}
++	for _, src := range srcs {
++		// The next line shouldn't infinite-loop.
++		ParseFragment(strings.NewReader(src), nil)
++	}
++}
++
+ func BenchmarkParser(b *testing.B) {
+ 	buf, err := ioutil.ReadFile("testdata/go1.html")
+ 	if err != nil {
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-22 22:01:02.000000000 +0800
@@ -1,2 +1,3 @@
 publicsuffix.patch
 CVE-2021-31525.patch
+CVE-2021-33194.patch

Reply to:

Follow-Ups:
- Bug#988983: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
  - From: Shengjing Zhu <zhsj@debian.org>
- Bug#988983: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#988977: buster-pu: package libbusiness-us-usps-webtools-perl/1.122-1+deb10u1
Next by Date: Processed: Re: Bug#988968: unblock: e17/0.24.2-6
Previous by thread: Processed: libbusiness-us-usps-webtools-perl 1.122-1+deb10u1 flagged for acceptance
Next by thread: Bug#988983: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
Index(es):
- Date
- Thread