--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org
Please unblock package golang-golang-x-net
[ Reason ]
Backport patch for CVE-2021-33194
x/net/html: infinite loop in ParseFragment
[ Impact ]
It fixes security issues.
[ Tests ]
Upstream has added a unit test for the issue in the patch.
[ Risks ]
+ Diff is small
+ Key package
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Need rebuild packages which have built-using with old version of
golang-golang-x-net
unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog 2021-05-22 22:01:02.000000000 +0800
@@ -1,3 +1,11 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-4) unstable; urgency=medium
+
+ * Team upload.
+ * Backport patch for CVE-2021-33194
+ x/net/html: infinite loop in ParseFragment
+
+ -- Shengjing Zhu <zhsj@debian.org> Sat, 22 May 2021 22:01:02 +0800
+
golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
* Team upload.
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch 1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch 2021-05-22 22:01:02.000000000 +0800
@@ -0,0 +1,114 @@
+From: Nigel Tao <nigeltao@golang.org>
+Date: Sun, 18 Apr 2021 21:15:27 +1000
+Subject: html: ignore templates nested within foreign content
+
+Fixes #46288
+Fixes CVE-2021-33194
+
+Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
+Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+---
+ html/parse.go | 24 +++++++++++++++++++++++-
+ html/parse_test.go | 22 ++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/html/parse.go b/html/parse.go
+index f91466f..038941d 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
+ // Ignore the token.
+ return true
+ case a.Template:
++ // TODO: remove this divergence from the HTML5 spec.
++ //
++ // We don't handle all of the corner cases when mixing foreign
++ // content (i.e. <math> or <svg>) with <template>. Without this
++ // early return, we can get into an infinite loop, possibly because
++ // of the "TODO... further divergence" a little below.
++ //
++ // As a workaround, if we are mixing foreign content and templates,
++ // just ignore the rest of the HTML. Foreign content is rare and a
++ // relatively old HTML feature. Templates are also rare and a
++ // relatively new HTML feature. Their combination is very rare.
++ for _, e := range p.oe {
++ if e.Namespace != "" {
++ p.im = ignoreTheRemainingTokens
++ return true
++ }
++ }
++
+ p.addElement()
+ p.afe = append(p.afe, &scopeMarker)
+ p.framesetOK = false
+@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
+ if !p.oe.contains(a.Template) {
+ return true
+ }
+- // TODO: remove this divergence from the HTML5 spec.
++ // TODO: remove this further divergence from the HTML5 spec.
+ //
+ // See https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+ p.generateImpliedEndTags()
+@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
+ return true
+ }
+
++func ignoreTheRemainingTokens(p *parser) bool {
++ return true
++}
++
+ const whitespaceOrNUL = whitespace + "\x00"
+
+ // Section 12.2.6.5
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 58dce5f..019333d 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
+ if err != nil {
+ t.Fatal(err)
+ }
++ if parseTestBlacklist[ta.text] {
++ continue
++ }
+
+ err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting))
+
+@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error)
+ return nil
+ }
+
++// Some test inputs are simply skipped - we would otherwise fail the test. We
++// blacklist such inputs from the parse test.
++var parseTestBlacklist = map[string]bool{
++ // See the a.Template TODO in inHeadIM.
++ `<math><template><mo><template>`: true,
++ `<template><svg><foo><template><foreignObject><div></template><div>`: true,
++}
++
+ // Some test input result in parse trees are not 'well-formed' despite
+ // following the HTML5 recovery algorithms. Rendering and re-parsing such a
+ // tree will not result in an exact clone of that tree. We blacklist such
+@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
+ ParseFragment(strings.NewReader("<p>hello</p>"), nil)
+ }
+
++func TestParseFragmentForeignContentTemplates(t *testing.T) {
++ srcs := []string{
++ "<math><html><template><mn><template></template></template>",
++ "<math><math><head><mi><template>",
++ }
++ for _, src := range srcs {
++ // The next line shouldn't infinite-loop.
++ ParseFragment(strings.NewReader(src), nil)
++ }
++}
++
+ func BenchmarkParser(b *testing.B) {
+ buf, err := ioutil.ReadFile("testdata/go1.html")
+ if err != nil {
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series 2021-05-22 22:01:02.000000000 +0800
@@ -1,2 +1,3 @@
publicsuffix.patch
CVE-2021-31525.patch
+CVE-2021-33194.patch
--- End Message ---