Bug#988983: marked as done (unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 30 May 2021 13:35:57 +0000
with message-id <E1lnLbh-0000ei-AH@respighi.debian.org>
and subject line unblock golang-golang-x-net
has caused the Debian Bug report #988983,
regarding unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988983: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988983
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4
• From: Shengjing Zhu <zhsj@debian.org>
• Date: Sat, 22 May 2021 22:17:31 +0800
• Message-id: <[🔎] YKkSe56ndenPaMyY@local.zhsj.me>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: zhsj@debian.org

Please unblock package golang-golang-x-net

[ Reason ]
Backport patch for CVE-2021-33194
x/net/html: infinite loop in ParseFragment

[ Impact ]
It fixes security issues.

[ Tests ]
Upstream has added a unit test for the issue in the patch.

[ Risks ]
+ Diff is small
+ Key package

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Need rebuild packages which have built-using with old version of
golang-golang-x-net

unblock golang-golang-x-net/1:0.0+git20210119.5f4716e+dfsg-4


diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/changelog	2021-05-22 22:01:02.000000000 +0800
@@ -1,3 +1,11 @@
+golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-4) unstable; urgency=medium
+
+  * Team upload.
+  * Backport patch for CVE-2021-33194
+    x/net/html: infinite loop in ParseFragment
+
+ -- Shengjing Zhu <zhsj@debian.org>  Sat, 22 May 2021 22:01:02 +0800
+
 golang-golang-x-net (1:0.0+git20210119.5f4716e+dfsg-3) unstable; urgency=medium
 
   * Team upload.
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch	1970-01-01 08:00:00.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/CVE-2021-33194.patch	2021-05-22 22:01:02.000000000 +0800
@@ -0,0 +1,114 @@
+From: Nigel Tao <nigeltao@golang.org>
+Date: Sun, 18 Apr 2021 21:15:27 +1000
+Subject: html: ignore templates nested within foreign content
+
+Fixes #46288
+Fixes CVE-2021-33194
+
+Change-Id: I2fe39702de8e9aab29965c1526e377a6f9cdf056
+Reviewed-on: https://go-review.googlesource.com/c/net/+/311090
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+---
+ html/parse.go      | 24 +++++++++++++++++++++++-
+ html/parse_test.go | 22 ++++++++++++++++++++++
+ 2 files changed, 45 insertions(+), 1 deletion(-)
+
+diff --git a/html/parse.go b/html/parse.go
+index f91466f..038941d 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -663,6 +663,24 @@ func inHeadIM(p *parser) bool {
+ 			// Ignore the token.
+ 			return true
+ 		case a.Template:
++			// TODO: remove this divergence from the HTML5 spec.
++			//
++			// We don't handle all of the corner cases when mixing foreign
++			// content (i.e. <math> or <svg>) with <template>. Without this
++			// early return, we can get into an infinite loop, possibly because
++			// of the "TODO... further divergence" a little below.
++			//
++			// As a workaround, if we are mixing foreign content and templates,
++			// just ignore the rest of the HTML. Foreign content is rare and a
++			// relatively old HTML feature. Templates are also rare and a
++			// relatively new HTML feature. Their combination is very rare.
++			for _, e := range p.oe {
++				if e.Namespace != "" {
++					p.im = ignoreTheRemainingTokens
++					return true
++				}
++			}
++
+ 			p.addElement()
+ 			p.afe = append(p.afe, &scopeMarker)
+ 			p.framesetOK = false
+@@ -683,7 +701,7 @@ func inHeadIM(p *parser) bool {
+ 			if !p.oe.contains(a.Template) {
+ 				return true
+ 			}
+-			// TODO: remove this divergence from the HTML5 spec.
++			// TODO: remove this further divergence from the HTML5 spec.
+ 			//
+ 			// See https://bugs.chromium.org/p/chromium/issues/detail?id=829668
+ 			p.generateImpliedEndTags()
+@@ -2127,6 +2145,10 @@ func afterAfterFramesetIM(p *parser) bool {
+ 	return true
+ }
+ 
++func ignoreTheRemainingTokens(p *parser) bool {
++	return true
++}
++
+ const whitespaceOrNUL = whitespace + "\x00"
+ 
+ // Section 12.2.6.5
+diff --git a/html/parse_test.go b/html/parse_test.go
+index 58dce5f..019333d 100644
+--- a/html/parse_test.go
++++ b/html/parse_test.go
+@@ -267,6 +267,9 @@ func TestParser(t *testing.T) {
+ 				if err != nil {
+ 					t.Fatal(err)
+ 				}
++				if parseTestBlacklist[ta.text] {
++					continue
++				}
+ 
+ 				err = testParseCase(ta.text, ta.want, ta.context, ParseOptionEnableScripting(ta.scripting))
+ 
+@@ -379,6 +382,14 @@ func testParseCase(text, want, context string, opts ...ParseOption) (err error)
+ 	return nil
+ }
+ 
++// Some test inputs are simply skipped - we would otherwise fail the test. We
++// blacklist such inputs from the parse test.
++var parseTestBlacklist = map[string]bool{
++	// See the a.Template TODO in inHeadIM.
++	`<math><template><mo><template>`:                                     true,
++	`<template><svg><foo><template><foreignObject><div></template><div>`: true,
++}
++
+ // Some test input result in parse trees are not 'well-formed' despite
+ // following the HTML5 recovery algorithms. Rendering and re-parsing such a
+ // tree will not result in an exact clone of that tree. We blacklist such
+@@ -454,6 +465,17 @@ func TestParseFragmentWithNilContext(t *testing.T) {
+ 	ParseFragment(strings.NewReader("<p>hello</p>"), nil)
+ }
+ 
++func TestParseFragmentForeignContentTemplates(t *testing.T) {
++	srcs := []string{
++		"<math><html><template><mn><template></template></template>",
++		"<math><math><head><mi><template>",
++	}
++	for _, src := range srcs {
++		// The next line shouldn't infinite-loop.
++		ParseFragment(strings.NewReader(src), nil)
++	}
++}
++
+ func BenchmarkParser(b *testing.B) {
+ 	buf, err := ioutil.ReadFile("testdata/go1.html")
+ 	if err != nil {
diff -Nru golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series
--- golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-08 12:12:17.000000000 +0800
+++ golang-golang-x-net-0.0+git20210119.5f4716e+dfsg/debian/patches/series	2021-05-22 22:01:02.000000000 +0800
@@ -1,2 +1,3 @@
 publicsuffix.patch
 CVE-2021-31525.patch
+CVE-2021-33194.patch

--- End Message ---

--- Begin Message ---

• To: 988983-done@bugs.debian.org
• Subject: unblock golang-golang-x-net
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Sun, 30 May 2021 13:35:57 +0000
• Message-id: <E1lnLbh-0000ei-AH@respighi.debian.org>

Unblocked.

--- End Message ---