[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1106218: marked as done (unblock: golang-golang-x-net/1:0.27.0-2)

Your message dated Wed, 21 May 2025 19:55:45 +0000
with message-id <E1uHpXV-005VsX-2X@respighi.debian.org>
and subject line unblock golang-golang-x-net
has caused the Debian Bug report #1106218,
regarding unblock: golang-golang-x-net/1:0.27.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1106218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106218
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: golang-golang-x-net@packages.debian.org
Control: affects -1 + src:golang-golang-x-net
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package golang-golang-x-net

[ Reason ]
The patch fixes a FTBFS due to a failing test (#1089192) and adds to
fixes for CVEs.

[ Impact ]
downstream build dependencies are affected by the CVEs and users can't
easily modify and build the package.

[ Tests ]
Recompiled a couple times with sbulid and ran autopkgtests to make sure
it work now.

[ Risks ]
Low, The skipped test has no impact compared to the version in testing
and the patches for the two CVEs are from upstream and applied without
problems.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
As this is a source only -dev package we probably need to recompile all
downstream build dependencies to make user the CVEs fixes are applied.

unblock golang-golang-x-net/1:0.27.0-2

diff --git a/debian/changelog b/debian/changelog
index c713a01..20fadd0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+golang-golang-x-net (1:0.27.0-2) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Ananthu C V ]
+  * Skip more publicsuffix tests (Closes: #1089192)
+
+  [ Jochen Sprickerhof ]
+  * Add patch for CVE-2025-22872 (Closes: #1103586)
+  * Add patch for CVE-2024-45338 (Closes: #1091168)
+
+ -- Jochen Sprickerhof <jspricke@debian.org>  Wed, 21 May 2025 14:16:51 +0200
+
 golang-golang-x-net (1:0.27.0-1) unstable; urgency=medium
 
   * New upstream version 0.27.0
diff --git a/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
new file mode 100644
index 0000000..4eb0cec
--- /dev/null
+++ b/debian/patches/0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
@@ -0,0 +1,91 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 24 Feb 2025 11:18:31 -0800
+Subject: html: properly handle trailing solidus in unquoted attribute value
+ in foreign content
+
+The parser properly treats tags like <p a=/> as <p a="/">, but the
+tokenizer emits the SelfClosingTagToken token incorrectly. When the
+parser is used to parse foreign content, this results in an incorrect
+DOM.
+
+Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
+
+Fixes golang/go#73070
+Fixes CVE-2025-22872
+
+Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
+Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+---
+ html/token.go      | 18 ++++++++++++++++--
+ html/token_test.go | 18 ++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/html/token.go b/html/token.go
+index 3c57880..6598c1f 100644
+--- a/html/token.go
++++ b/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+diff --git a/html/token_test.go b/html/token_test.go
+index a36d112..44773f1 100644
+--- a/html/token_test.go
++++ b/html/token_test.go
+@@ -616,6 +616,16 @@ var tokenTests = []tokenTest{
+ 		`<p a/ ="">`,
+ 		`<p a="" =""="">`,
+ 	},
++	{
++		"slash at end of unquoted attribute value",
++		`<p a="\">`,
++		`<p a="\">`,
++	},
++	{
++		"self-closing tag with attribute",
++		`<p a=/>`,
++		`<p a="/">`,
++	},
+ }
+ 
+ func TestTokenizer(t *testing.T) {
+@@ -815,6 +825,14 @@ func TestReaderEdgeCases(t *testing.T) {
+ 	}
+ }
+ 
++func TestSelfClosingTagValueConfusion(t *testing.T) {
++	z := NewTokenizer(strings.NewReader(`<p a=/>`))
++	tok := z.Next()
++	if tok != StartTagToken {
++		t.Fatalf("unexpected token type: got %s, want %s", tok, StartTagToken)
++	}
++}
++
+ // zeroOneByteReader is like a strings.Reader that alternates between
+ // returning 0 bytes and 1 byte at a time.
+ type zeroOneByteReader struct {
diff --git a/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
new file mode 100644
index 0000000..8c34cbb
--- /dev/null
+++ b/debian/patches/0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
@@ -0,0 +1,76 @@
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 4 Dec 2024 09:35:55 -0800
+Subject: html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ html/doctype.go | 2 +-
+ html/foreign.go | 3 +--
+ html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/html/doctype.go b/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/html/doctype.go
++++ b/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd"; {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd";) {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/html/foreign.go b/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/html/foreign.go
++++ b/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/html/parse.go b/html/parse.go
+index 46a89ed..5b8374b 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
diff --git a/debian/patches/series b/debian/patches/series
index c4757ad..b1780b4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,4 @@
 publicsuffix.patch
+skip-publicsuffix-tests.patch
+0003-html-properly-handle-trailing-solidus-in-unquoted-at.patch
+0004-html-use-strings.EqualFold-instead-of-lowering-ourse.patch
diff --git a/debian/patches/skip-publicsuffix-tests.patch b/debian/patches/skip-publicsuffix-tests.patch
new file mode 100644
index 0000000..c536674
--- /dev/null
+++ b/debian/patches/skip-publicsuffix-tests.patch
@@ -0,0 +1,78 @@
+From: Maytham Alsudany <maytha8thedev@gmail.com>
+Date: Wed, 21 May 2025 10:45:21 +0200
+Subject: skip publicsuffix tests
+
+Bug-Debian: https://bugs.debian.org/1089192
+Forwarded: not-needed
+Last-Update: 2025-05-03
+
+These tests are hardcoded by upstream to check against parts of the test data,
+but break when the test data is regenerated from the latest publicsuffix data,
+which is constantly changing.
+
+This patch skips TestPublicSuffix, TestSlowPublicSuffix, TestNumICANNRules,
+ExamplePublicSuffix_manager, and TestICANN, which are all affected by this
+problem and resulted in test failures.
+---
+ publicsuffix/example_test.go | 4 +++-
+ publicsuffix/list_test.go    | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/publicsuffix/example_test.go b/publicsuffix/example_test.go
+index c051dac..bc5f733 100644
+--- a/publicsuffix/example_test.go
++++ b/publicsuffix/example_test.go
+@@ -7,6 +7,7 @@ package publicsuffix_test
+ import (
+ 	"fmt"
+ 	"strings"
++	"testing"
+ 
+ 	"golang.org/x/net/publicsuffix"
+ )
+@@ -17,7 +18,8 @@ import (
+ // managed, or unmanaged (not explicitly in the PSL).
+ //
+ // See https://publicsuffix.org/ for the underlying PSL data.
+-func ExamplePublicSuffix_manager() {
++func ExamplePublicSuffix_manager(t *testing.T) {
++	t.SkipNow()
+ 	domains := []string{
+ 		"amazon.co.uk",
+ 		"books.amazon.co.uk",
+diff --git a/publicsuffix/list_test.go b/publicsuffix/list_test.go
+index 090c431..cf150ef 100644
+--- a/publicsuffix/list_test.go
++++ b/publicsuffix/list_test.go
+@@ -62,6 +62,7 @@ func TestFind(t *testing.T) {
+ }
+ 
+ func TestICANN(t *testing.T) {
++	t.SkipNow()
+ 	testCases := map[string]bool{
+ 		"foo.org":            true,
+ 		"foo.co.uk":          true,
+@@ -295,6 +296,7 @@ func BenchmarkPublicSuffix(b *testing.B) {
+ }
+ 
+ func TestPublicSuffix(t *testing.T) {
++	t.SkipNow()
+ 	for _, tc := range publicSuffixTestCases {
+ 		gotPS, gotICANN := PublicSuffix(tc.domain)
+ 		if gotPS != tc.wantPS || gotICANN != tc.wantICANN {
+@@ -304,6 +306,7 @@ func TestPublicSuffix(t *testing.T) {
+ }
+ 
+ func TestSlowPublicSuffix(t *testing.T) {
++	t.SkipNow()
+ 	for _, tc := range publicSuffixTestCases {
+ 		gotPS, gotICANN := slowPublicSuffix(tc.domain)
+ 		if gotPS != tc.wantPS || gotICANN != tc.wantICANN {
+@@ -313,6 +316,7 @@ func TestSlowPublicSuffix(t *testing.T) {
+ }
+ 
+ func TestNumICANNRules(t *testing.T) {
++	t.SkipNow()
+ 	if numICANNRules <= 0 {
+ 		t.Fatal("no ICANN rules")
+ 	}

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: