Accepting request 1309824 from utilities

OBS-URL: https://build.opensuse.org/request/show/1309824
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glow?expand=0&rev=8

fix-CVE-2025-47911_CVE-2025-58190.patch

@@ -0,0 +1,173 @@
+diff -rup vendor/golang.org/x/net/html/escape.go net-0.45.0/html/escape.go
+--- vendor/golang.org/x/net/html/escape.go	2025-05-30 14:58:41.000000000 +0200
++++ net-0.45.0/html/escape.go	2025-10-07 20:18:01.000000000 +0200
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "
"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff -rup vendor/golang.org/x/net/html/parse.go net-0.45.0/html/parse.go
+--- vendor/golang.org/x/net/html/parse.go	2025-05-30 14:58:41.000000000 +0200
++++ net-0.45.0/html/parse.go	2025-10-07 20:18:01.000000000 +0200
+@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s
+ 					return -1
+ 				}
+ 			default:
+-				panic("unreachable")
++				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
+ 			}
+ 		}
+ 		switch s {
+@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s s
+ 				return
+ 			}
+ 		default:
+-			panic("unreachable")
++			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
+ 		}
+ 	}
+ }
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+ 
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+ 
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -1678,7 +1685,7 @@ func inTableBodyIM(p *parser) bool {
+ 	return inTableIM(p)
+ }
+ 
+-// Section 12.2.6.4.14.
++// Section 13.2.6.4.14.
+ func inRowIM(p *parser) bool {
+ 	switch p.tok.Type {
+ 	case StartTagToken:
+@@ -1690,7 +1697,9 @@ func inRowIM(p *parser) bool {
+ 			p.im = inCellIM
+ 			return true
+ 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+@@ -1700,22 +1709,28 @@ func inRowIM(p *parser) bool {
+ 	case EndTagToken:
+ 		switch p.tok.DataAtom {
+ 		case a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return true
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Table:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Tbody, a.Tfoot, a.Thead:
+-			if p.elementInScope(tableScope, p.tok.DataAtom) {
+-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
++			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
++				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+@@ -2222,16 +2237,20 @@ func parseForeignContent(p *parser) bool
+ 			p.acknowledgeSelfClosingTag()
+ 		}
+ 	case EndTagToken:
++		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
++			p.oe = p.oe[:len(p.oe)-1]
++			return true
++		}
+ 		for i := len(p.oe) - 1; i >= 0; i-- {
+-			if p.oe[i].Namespace == "" {
+-				return p.im(p)
+-			}
+ 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
+ 				p.oe = p.oe[:i]
++				return true
++			}
++			if i > 0 && p.oe[i-1].Namespace == "" {
+ 				break
+ 			}
+ 		}
+-		return true
++		return p.im(p)
+ 	default:
+ 		// Ignore the token.
+ 	}
+@@ -2312,9 +2331,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+ 
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2343,6 +2366,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+diff -rup vendor/golang.org/x/net/html/render.go net-0.45.0/html/render.go
+--- vendor/golang.org/x/net/html/render.go	2025-05-30 14:58:41.000000000 +0200
++++ net-0.45.0/html/render.go	2025-10-07 20:18:01.000000000 +0200
+@@ -184,7 +184,7 @@ func render1(w writer, n *Node) error {
+ 		return err
+ 	}
+ 
+-	// Add initial newline where there is danger of a newline beging ignored.
++	// Add initial newline where there is danger of a newline being ignored.
+ 	if c := n.FirstChild; c != nil && c.Type == TextNode && strings.HasPrefix(c.Data, "\n") {
+ 		switch n.Data {
+ 		case "pre", "listing", "textarea":

fix_cve_2025_22872.patch

@@ -1,56 +0,0 @@
-From e1fcd82abba34df74614020343be8eb1fe85f0d9 Mon Sep 17 00:00:00 2001
-From: Roland Shoemaker <roland@golang.org>
-Date: Mon, 24 Feb 2025 11:18:31 -0800
-Subject: [PATCH] html: properly handle trailing solidus in unquoted attribute
- value in foreign content
-
-The parser properly treats tags like <p a=/> as <p a="/">, but the
-tokenizer emits the SelfClosingTagToken token incorrectly. When the
-parser is used to parse foreign content, this results in an incorrect
-DOM.
-
-Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
-
-Fixes golang/go#73070
-Fixes CVE-2025-22872
-
-Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
-Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
-Reviewed-by: Neal Patel <nealpatel@google.com>
-Reviewed-by: Roland Shoemaker <roland@golang.org>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-Auto-Submit: Gopher Robot <gobot@golang.org>
----
- html/token.go      | 18 ++++++++++++++++--
- html/token_test.go | 18 ++++++++++++++++++
- 2 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/html/token.go b/html/token.go
-index 3c57880d69..6598c1f7b3 100644
---- a/html/token.go
-+++ b/html/token.go
-@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
- 	if raw {
- 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
- 	}
--	// Look for a self-closing token like "<br/>".
--	if z.err == nil && z.buf[z.raw.end-2] == '/' {
-+	// Look for a self-closing token (e.g. <br/>).
-+	//
-+	// Originally, we did this by just checking that the last character of the
-+	// tag (ignoring the closing bracket) was a solidus (/) character, but this
-+	// is not always accurate.
-+	//
-+	// We need to be careful that we don't misinterpret a non-self-closing tag
-+	// as self-closing, as can happen if the tag contains unquoted attribute
-+	// values (i.e. <p a=/>).
-+	//
-+	// To avoid this, we check that the last non-bracket character of the tag
-+	// (z.raw.end-2) isn't the same character as the last non-quote character of
-+	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
-+	// attributes.
-+	nAttrs := len(z.attr)
-+	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
- 		return SelfClosingTagToken
- 	}
- 	return StartTagToken

glow-2.1.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f1875a73ed81e5d8e6c81443e9a9d18bd9d1489c563c9fa2ff5425f2f8e2af6f
-size 509457

glow-2.1.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f13e1d6be1ab4baf725a7fedc4cd240fc7e5c7276af2d92f199e590e1ef33967
+size 510057

glow.changes

@@ -1,3 +1,33 @@
+-------------------------------------------------------------------
+Wed Oct  8 15:21:38 UTC 2025 - munix9@googlemail.com
+
+- Add fix-CVE-2025-47911_CVE-2025-58190.patch
+  * Fix "html: impose open element stack size limit"
+    - CVE-2025-47911 (gh#golang/go#75682) (bsc#1251462)
+    - https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d
+  * Fix "html: align in row insertion mode with spec"
+    - CVE-2025-58190 (gh#golang/go#70179) (bsc#1251720)
+    - https://github.com/golang/net/commit/6ec8895aa5f6594da7356da7d341b98133629009
+  * The patch was created using a diff from golang.org/x/net
+    version 0.40.0 to version 0.45.0
+
+-------------------------------------------------------------------
+Sun Jun  1 20:36:38 UTC 2025 - munix9@googlemail.com
+
+- Update to 2.1.1:
+  * fix all linting issues (@andreynering)
+  * watch for dir instead of file to work on all scenarios (#734)
+    (@Ktrod)
+  * handle case when selected md is nil (@MarkusBillharz)
+  * only show edit if documents are available (@MarkusBillharz)
+  * sync viewport on half page up/down to prevent duplicate strings
+    in render (#756) (@Ktrod)
+  * tui mode handling of remote urls (#744) (@glwbr)
+  * update .golangci.yml for v2 (@andreynering)
+
+- Remove fix_cve_2025_22872.patch (solved upstream)
+  * bump golang.org/x/net from 0.27.0 to 0.40.0
+
 -------------------------------------------------------------------
 Sun Apr 27 15:54:21 UTC 2025 - munix9@googlemail.com
 

glow.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package glow
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -21,7 +21,7 @@
 %global _lto_cflags %nil
 
 Name:           glow
-Version:        2.1.0
+Version:        2.1.1
 Release:        0
 Summary:        Render markdown on the CLI
 License:        MIT
@@ -30,7 +30,7 @@ Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 # vendoring obtained by `osc service manualrun`. See README.suse-maint.md for details.
 Source1:        vendor.tar.zst
 Source2:        README.suse-maint.md
-Source3:        fix_cve_2025_22872.patch
+Source3:        fix-CVE-2025-47911_CVE-2025-58190.patch
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
 BuildRequires:  golang(API) >= 1.23
@@ -77,39 +77,40 @@ BuildArch:      noarch
 Zsh command-line completion support for %{name}.
 
 %prep
-%autosetup -p1 -a1
+%autosetup -a1 -p1
 patch -d vendor/golang.org/x/net/ -p1 -i %{SOURCE3}
 
 %build
-%ifarch ppc64
-BUILDMOD=""
-%else
+%ifnarch ppc64
 BUILDMOD="-buildmode=pie"
 %endif
 export CGO_CFLAGS="%{optflags}"
 export CGO_CXXFLAGS="%{optflags}"
 export CGO_CPPFLAGS="%{optflags}"
-go build -v -x -mod=vendor $BUILDMOD -a -ldflags "-s -X main.Version=%{version}"
+export GOFLAGS="-mod=vendor $BUILDMOD -trimpath -ldflags=-linkmode=external"
+mkdir -p build
+go build -v -ldflags "-s -X main.Version=%{version}" -o build .
 
 %install
-install -Dm755 %{name} %{buildroot}%{_bindir}/%{name}
+install -D -m 0755 -t %{buildroot}%{_bindir} build/%{name}
 
 # man page (and fix date)
 install -d -m 0755 %{buildroot}%{_mandir}/man1
-_date1=$(date '+%%F')
-_date2=$(date -u -d@$SOURCE_DATE_EPOCH '+%%F')
-./%{name} man | sed -e "s/$_date1/$_date2/g" > %{buildroot}%{_mandir}/man1/%{name}.1
+_d="$(date -u -d@$SOURCE_DATE_EPOCH '+%%B %%Y')"
+./build/%{name} man | \
+  sed -e "s/^\.TH GLOW 1 \".*\" \"glow/.TH GLOW 1 \"$_d\" \"glow %{version}/" \
+  > %{buildroot}%{_mandir}/man1/%{name}.1
 
 # Completions
-for sh in bash zsh fish; do
-  ./%{name} completion $sh > %{name}.${sh}
+for sh in bash fish zsh; do
+  ./build/%{name} completion $sh > %{name}.${sh}
 done
-install -Dm644 %{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name}
-install -Dm644 %{name}.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name}
-install -Dm644 %{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name}.fish
+install -D -m 0644 %{name}.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name}
+install -D -m 0644 %{name}.fish %{buildroot}%{_datadir}/fish/vendor_completions.d/%{name}.fish
+install -D -m 0644 %{name}.zsh  %{buildroot}%{_datadir}/zsh/site-functions/_%{name}
 
 %check
-./%{name} --version
+./build/%{name} --version
 # Skip TestGlowSources and TestURLParser as they can both fail without internet.
 go test -v ./... -skip 'TestGlowSources|TestURLParser'
 

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c95a9b1c64eaa14b495a6a9bf1b2bf7bb8a1a2b459319fb3b58fbfb6284e9fd3
-size 2740449
+oid sha256:d4ea0d1833d083e28e94dabf10a6ce422fe5ea29a9bddf2e676ce6423101fa12
+size 2848055