Accepting request 1321752 from Cloud:Tools

- Update to version 20251202.00
  * Revert "Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)" (#893) (forwarded request 1321685 from glaubitz)

OBS-URL: https://build.opensuse.org/request/show/1321752
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/google-osconfig-agent?expand=0&rev=46

CVE-2025-47911.patch

@@ -0,0 +1,98 @@
+From c217fe54b033f05ca89b931c1650738a68914f30 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH 2/2] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ html/escape.go |  2 +-
+ html/parse.go  | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/html/escape.go b/html/escape.go
+index 04c6bec..12f2273 100644
+--- a/html/escape.go
++++ b/html/escape.go
+@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "&#13;"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff --git a/html/parse.go b/html/parse.go
+index 722e927..88fc005 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+ 
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+ 
+@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -2324,9 +2331,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+ 
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2355,6 +2366,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+-- 
+2.51.0
+

CVE-2025-58190.patch

@@ -0,0 +1,124 @@
+From 6265ff02c00c9911070d6742bb140d1f30126997 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 19:38:24 -0700
+Subject: [PATCH 1/2] html: align in row insertion mode with spec
+
+Update inRowIM to match the HTML specification. This fixes an issue
+where a specific HTML document could cause the parser to enter an
+infinite loop when trying to parse a </tbody> and implied </tr> next to
+each other.
+
+Fixes CVE-2025-58190
+Fixes golang/go#70179
+
+Change-Id: Idcb133c87c7d475cc8c7eb1f1550ea21d8bdddea
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709875
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+---
+ html/parse.go | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/html/parse.go b/html/parse.go
+index 518ee4c..722e927 100644
+--- a/html/parse.go
++++ b/html/parse.go
+@@ -136,7 +136,7 @@ func (p *parser) indexOfElementInScope(s scope, matchTags ...a.Atom) int {
+ 					return -1
+ 				}
+ 			default:
+-				panic("unreachable")
++				panic(fmt.Sprintf("html: internal error: indexOfElementInScope unknown scope: %d", s))
+ 			}
+ 		}
+ 		switch s {
+@@ -179,7 +179,7 @@ func (p *parser) clearStackToContext(s scope) {
+ 				return
+ 			}
+ 		default:
+-			panic("unreachable")
++			panic(fmt.Sprintf("html: internal error: clearStackToContext unknown scope: %d", s))
+ 		}
+ 	}
+ }
+@@ -1678,7 +1678,7 @@ func inTableBodyIM(p *parser) bool {
+ 	return inTableIM(p)
+ }
+ 
+-// Section 12.2.6.4.14.
++// Section 13.2.6.4.14.
+ func inRowIM(p *parser) bool {
+ 	switch p.tok.Type {
+ 	case StartTagToken:
+@@ -1690,7 +1690,9 @@ func inRowIM(p *parser) bool {
+ 			p.im = inCellIM
+ 			return true
+ 		case a.Caption, a.Col, a.Colgroup, a.Tbody, a.Tfoot, a.Thead, a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+@@ -1700,22 +1702,28 @@ func inRowIM(p *parser) bool {
+ 	case EndTagToken:
+ 		switch p.tok.DataAtom {
+ 		case a.Tr:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return true
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Table:
+-			if p.popUntil(tableScope, a.Tr) {
++			if p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
+ 				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+ 			return true
+ 		case a.Tbody, a.Tfoot, a.Thead:
+-			if p.elementInScope(tableScope, p.tok.DataAtom) {
+-				p.parseImpliedToken(EndTagToken, a.Tr, a.Tr.String())
++			if p.elementInScope(tableScope, p.tok.DataAtom) && p.elementInScope(tableScope, a.Tr) {
++				p.clearStackToContext(tableRowScope)
++				p.oe.pop()
++				p.im = inTableBodyIM
+ 				return false
+ 			}
+ 			// Ignore the token.
+@@ -2222,16 +2230,20 @@ func parseForeignContent(p *parser) bool {
+ 			p.acknowledgeSelfClosingTag()
+ 		}
+ 	case EndTagToken:
++		if strings.EqualFold(p.oe[len(p.oe)-1].Data, p.tok.Data) {
++			p.oe = p.oe[:len(p.oe)-1]
++			return true
++		}
+ 		for i := len(p.oe) - 1; i >= 0; i-- {
+-			if p.oe[i].Namespace == "" {
+-				return p.im(p)
+-			}
+ 			if strings.EqualFold(p.oe[i].Data, p.tok.Data) {
+ 				p.oe = p.oe[:i]
++				return true
++			}
++			if i > 0 && p.oe[i-1].Namespace == "" {
+ 				break
+ 			}
+ 		}
+-		return true
++		return p.im(p)
+ 	default:
+ 		// Ignore the token.
+ 	}
+-- 
+2.51.0
+

_service

@@ -3,8 +3,8 @@
     <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">20250729.00</param>
-    <param name="revision">20250729.00</param>
+    <param name="versionformat">20251202.00</param>
+    <param name="revision">20251202.00</param>
     <param name="changesgenerate">enable</param>
   </service>
   <service name="recompress" mode="disabled">
@@ -15,6 +15,6 @@
     <param name="basename">osconfig</param>
   </service>
   <service name="go_modules" mode="disabled">
-    <param name="archive">osconfig-20250729.00.tar.gz</param>
+    <param name="archive">osconfig-20251202.00.tar.gz</param>
   </service>
 </services>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/GoogleCloudPlatform/osconfig</param>
-              <param name="changesrevision">6d3741d26882e1585233a875d67f466904b2ba0c</param></service></servicedata>
+              <param name="changesrevision">23ea43baf55074943d56b1e141eefd7b7b3983d7</param></service></servicedata>

google-osconfig-agent.changes

@@ -1,3 +1,76 @@
+-------------------------------------------------------------------
+Tue Dec  9 08:38:50 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20251202.00
+  * Revert "Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)" (#893)
+
+-------------------------------------------------------------------
+Tue Dec  2 12:47:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20251201.00
+  * Revert "Bump github.com/containerd/containerd (#890)" (#892)
+
+-------------------------------------------------------------------
+Thu Nov 27 10:31:37 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20251126.00
+  * Bump github.com/containerd/containerd (#890)
+  * Bump github.com/spdx/tools-golang from 0.5.3 to 0.5.5 (#887)
+
+-------------------------------------------------------------------
+Fri Nov  7 11:04:38 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20251028.00
+  * Bump go.opentelemetry.io/otel/sdk/metric from 1.35.0 to 1.38.0 (#886)
+  * Bump github.com/tidwall/pretty from 1.2.0 to 1.2.1 (#880)
+- from version 20251023.02
+  * Create multiple_os.yaml (#883)
+- from version 20251023.00
+  * Bump github.com/docker/go-connections from 0.4.0 to 0.6.0 (#877)
+  * Add test runner for e2e tests (#876)
+- Reword previous changelog entry so that the added patches are accepted
+
+-------------------------------------------------------------------
+Tue Oct 14 10:56:31 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20250925.00
+  * Bump cloud.google.com/go/auth/oauth2adapt from 0.2.7 to 0.2.8 (#870)
+  * Bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#874)
+  * Bump go.opentelemetry.io/otel from 1.35.0 to 1.38.0 (#872)
+  * Bump github.com/golang/glog from 1.2.4 to 1.2.5 (#830)
+
+-------------------------------------------------------------------
+Wed Oct  8 16:20:08 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Add CVE-2025-47911.patch to fix an issue in the HTML parser where a large
+  number of open elements can cause the parser to become extremely slow by
+  limiting the stack size of open elements (bsc#1251453, CVE-2025-47911)
+- Add CVE-2025-58190.patch to fix an issue in the HTML parser where a specific
+  HTML document can cause the parser to enter an infinite loop when trying
+  to parse a </tbody> and implied </tr> next to each other.
+  (bsc#1251704, CVE-2025-58190)
+
+-------------------------------------------------------------------
+Tue Sep 16 12:12:32 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to version 20250902.01
+  * Bump github.com/googleapis/enterprise-certificate-proxy (#829)
+- from version 20250902.00
+  * update github.com/go-jose/go-jose/v4 (#869)
+  * Upgrade scalibr and other deps (#866)
+- from version 20250901.00
+  * Fix possibility of path traversal for zip and tar archival (#868)
+- from version 20250825.00
+  * set CODEOWNERS file as required by org (#863)
+- from version 20250819.00
+  * Fix/rhel10 build centos image (#860)
+- from version 20250814.00
+  * Fix/rhel10 build image (#859)
+- from version 20250813.00
+  * Fix: Add RHEL 10 support to RPM startup script (#858)
+- from version 20250811.00
+  * Remove old/sles-15-sp4-sap as image is deprecated (#857)
+
 -------------------------------------------------------------------
 Mon Aug 11 13:30:16 UTC 2025 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
 

google-osconfig-agent.spec

@@ -24,7 +24,7 @@
 %global import_path     %{provider_prefix}
 
 Name:           google-osconfig-agent
-Version:        20250729.00
+Version:        20251202.00
 Release:        0
 Summary:        Google Cloud Guest Agent
 License:        Apache-2.0
@@ -33,6 +33,8 @@ URL:            https://%{provider_prefix}
 Source0:        %{repo}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        rpmlintrc
+Patch0:         CVE-2025-47911.patch
+Patch1:         CVE-2025-58190.patch
 BuildRequires:  golang(API) >= 1.22.4
 BuildRequires:  golang-packaging
 Requires:       google-guest-configs
@@ -49,6 +51,10 @@ Google Cloud OSConfig Agent
 %prep
 %setup -q -n %{repo}-%{version}
 %setup -q -D -T -a 1 -n %{repo}-%{version}
+pushd vendor/golang.org/x/net
+%patch -P0 -p1
+%patch -P1 -p1
+popd
 
 %build
 %goprep %{import_path}

osconfig-20250729.00.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3055365614a7250f6eb12145ae0bce915eecb425d67789d9ff7f76c672ad8839
-size 467750

osconfig-20251202.00.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c8f033021a9fa2a2b94917c43e01483ea9123ce8af054e9bcc9eecdd3e729a6f
+size 471280

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c9fc74a939c81f6ff90b1f89ef73e32aef451ea898743eba57a96562eed7b88c
-size 13568437
+oid sha256:37eb0edd17d93fb205b80aa8c7927929295bbee682cfffe4fef6e3e73e24a15b
+size 14010576