[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106218: unblock: golang-golang-x-net/1:0.27.0-2

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: golang-golang-x-net@packages.debian.org
Control: affects -1 + src:golang-golang-x-net
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package golang-golang-x-net

[ Reason ]
The patch fixes a FTBFS due to a failing test (#1089192) and adds to
fixes for CVEs.

[ Impact ]
downstream build dependencies are affected by the CVEs and users can't
easily modify and build the package.

[ Tests ]
Recompiled a couple times with sbulid and ran autopkgtests to make sure
it work now.

[ Risks ]
Low, The skipped test has no impact compared to the version in testing
and the patches for the two CVEs are from upstream and applied without
problems.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
As this is a source only -dev package we probably need to recompile all
downstream build dependencies to make user the CVEs fixes are applied.

unblock golang-golang-x-net/1:0.27.0-2

diff --git a/debian/changelog b/debian/changelog
index c713a01..20fadd0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+golang-golang-x-net (1:0.27.0-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Ananthu C V ]
+  * Skip more publicsuffix tests (Closes: #1089192)
+
+  [ Jochen Sprickerhof ]
+  * Add patch for CVE-2025-22872 (Closes: #1103586)
+  * Add patch for CVE-2024-45338 (Closes: #1091168)
+
+ -- Jochen Sprickerhof <jspricke@debian.org>  Wed, 21 May 2025 14:16:51 +0200
+
 golang-golang-x-net (1:0.27.0-1) unstable; urgency=medium
 
   * New upstream version 0.27.0
diff --git a/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
new file mode 100644
index 0000000..4eb0cec
--- /dev/null
+++ b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
@@ -0,0 +1,91 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 24 Feb 2025 11:18:31 -0800
+Subject: html: properly handle trailing solidus in unquoted attribute value
+ in foreign content
+
+The parser properly treats tags like <p a=/> as <p a="/">, but the
+tokenizer emits the SelfClosingTagToken token incorrectly. When the
+parser is used to parse foreign content, this results in an incorrect
+DOM.
+
+Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
+
+Fixes golang/go#73070
+Fixes CVE-2025-22872
+
+Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
+Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+---
+ html/token.go      | 18 ++++++++++++++++--
+ html/token_test.go | 18 ++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/html/token.go b/html/token.go
+index 3c57880..6598c1f 100644
+--- a/html/token.go
++++ b/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+diff --git a/html/token_test.go b/html/token_test.go
+index a36d112..44773f1 100644
+--- a/html/token_test.go
++++ b/html/token_test.go
+@@ -616,6 +616,16 @@ var tokenTests = []tokenTest{
+ 		`<p a/ ="">`,
+ 		`<p a="" =""="">`,
+ 	},
++	{
++		"slash at end of unquoted attribute value",
++		`<p a="\">`,
++		`<p a="\">`,
++	},
++	{
++		"self-closing tag with attribute",
++		`<p a=/>`,
++		`<p a="/">`,
++	},
+ }
+ 
+ func TestTokenizer(t *testing.T) {
+@@ -815,6 +825,14 @@ func TestReaderEdgeCases(t *testing.T) {
+ 	}
+ }
+ 
++func TestSelfClosingTagValueConfusion(t *testing.T) {
++	z := NewTokenizer(strings.NewReader(`<p a=/>`))
++	tok := z.Next()
++	if tok != StartTagToken {
++		t.Fatalf("unexpected token type: got %s, want %s", tok, StartTagToken)
++	}
++}
++
+ // zeroOneByteReader is like a strings.Reader that alternates between
+ // returning 0 bytes and 1 byte at a time.
+ type zeroOneByteReader struct {
diff --git a/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
new file mode 100644
index 0000000..8c34cbb
--- /dev/null
+++ b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
@@ -0,0 +1,76 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 4 Dec 2024 09:35:55 -0800
+Subject: html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ html/doctype.go | 2 +-
+ html/foreign.go | 3 +--
+ html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/html/doctype.go b/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/html/doctype.go
++++ b/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd"; {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd";) {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/html/foreign.go b/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/html/foreign.go
++++ b/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/html/parse.go b/html/parse.go
+index 46a89ed..5b8374b 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
diff --git a/debian/patches/series b/debian/patches/series
index c4757ad..b1780b4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,4 @@
 publicsuffix.patch
+skip-publicsuffix-tests.patch
+0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
+0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
diff --git a/debian/patches/skip-publicsuffix-tests.patch b/debian/patches/skip-publicsuffix-tests.patch
new file mode 100644
index 0000000..c536674
--- /dev/null
+++ b/debian/patches/skip-publicsuffix-tests.patch
@@ -0,0 +1,78 @@
+From: Maytham Alsudany <maytha8thedev@gmail.com>
+Date: Wed, 21 May 2025 10:45:21 +0200
+Subject: skip publicsuffix tests
+
+Bug-Debian: https://bugs.debian.org/1089192
+Forwarded: not-needed
+Last-Update: 2025-05-03
+
+These tests are hardcoded by upstream to check against parts of the test data,
+but break when the test data is regenerated from the latest publicsuffix data,
+which is constantly changing.
+
+This patch skips TestPublicSuffix, TestSlowPublicSuffix, TestNumICANNRules,
+ExamplePublicSuffix_manager, and TestICANN, which are all affected by this
+problem and resulted in test failures.
+---
+ publicsuffix/example_test.go | 4 +++-
+ publicsuffix/list_test.go    | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/publicsuffix/example_test.go b/publicsuffix/example_test.go
+index c051dac..bc5f733 100644
+--- a/publicsuffix/example_test.go
++++ b/publicsuffix/example_test.go
+@@ -7,6 +7,7 @@ package publicsuffix_test
+ import (
+ 	"fmt"
+ 	"strings"
++	"testing"
+ 
+ 	"golang.org/x/net/publicsuffix"
+ )
+@@ -17,7 +18,8 @@ import (
+ // managed, or unmanaged (not explicitly in the PSL).
+ //
+ // See https://publicsuffix.org/ for the underlying PSL data.
+-func ExamplePublicSuffix_manager() {
++func ExamplePublicSuffix_manager(t *testing.T) {
++	t.SkipNow()
+ 	domains := []string{
+ 		"amazon.co.uk",
+ 		"books.amazon.co.uk",
+diff --git a/publicsuffix/list_test.go b/publicsuffix/list_test.go
+index 090c431..cf150ef 100644
+--- a/publicsuffix/list_test.go
++++ b/publicsuffix/list_test.go
+@@ -62,6 +62,7 @@ func TestFind(t *testing.T) {
+ }
+ 
+ func TestICANN(t *testing.T) {
++	t.SkipNow()
+ 	testCases := map[string]bool{
+ 		"foo.org":            true,
+ 		"foo.co.uk":          true,
+@@ -295,6 +296,7 @@ func BenchmarkPublicSuffix(b *testing.B) {
+ }
+ 
+ func TestPublicSuffix(t *testing.T) {
++	t.SkipNow()
+ 	for _, tc := range publicSuffixTestCases {
+ 		gotPS, gotICANN := PublicSuffix(tc.domain)
+ 		if gotPS != tc.wantPS || gotICANN != tc.wantICANN {
+@@ -304,6 +306,7 @@ func TestPublicSuffix(t *testing.T) {
+ }
+ 
+ func TestSlowPublicSuffix(t *testing.T) {
++	t.SkipNow()
+ 	for _, tc := range publicSuffixTestCases {
+ 		gotPS, gotICANN := slowPublicSuffix(tc.domain)
+ 		if gotPS != tc.wantPS || gotICANN != tc.wantICANN {
+@@ -313,6 +316,7 @@ func TestSlowPublicSuffix(t *testing.T) {
+ }
+ 
+ func TestNumICANNRules(t *testing.T) {
++	t.SkipNow()
+ 	if numICANNRules <= 0 {
+ 		t.Fatal("no ICANN rules")
+ 	}
Reply to: