Skip to content

[AutoPR- Security] Patch cri-o for CVE-2025-47911 [MEDIUM] #15890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LeoMar4 merged 1 commit into from
Feb 19, 2026
+105 −1
Merged

[AutoPR- Security] Patch cri-o for CVE-2025-47911 [MEDIUM] #15890

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions SPECS/cri-o/CVE-2025-47911.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
From 8dae40342c949044130b53f6f191cae0608c1296 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 29 Sep 2025 16:33:18 -0700
Subject: [PATCH] html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
---
vendor/golang.org/x/net/html/escape.go | 2 +-
vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++----
2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
index d856139..8edd4c4 100644
--- a/vendor/golang.org/x/net/html/escape.go
+++ b/vendor/golang.org/x/net/html/escape.go
@@ -218,7 +218,7 @@ func escape(w writer, s string) error {
case '\r':
esc = "&#13;"
default:
- panic("unrecognized escape character")
+ panic("html: unrecognized escape character")
}
s = s[i+1:]
if _, err := w.WriteString(esc); err != nil {
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index cb012d8..5ee787f 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
}

if n.Type == ElementNode {
- p.oe = append(p.oe, n)
+ p.insertOpenElement(n)
+ }
+}
+
+func (p *parser) insertOpenElement(n *Node) {
+ p.oe = append(p.oe, n)
+ if len(p.oe) > 512 {
+ panic("html: open stack of elements exceeds 512 nodes")
}
}

@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
p.im = inFramesetIM
return true
case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
- p.oe = append(p.oe, p.head)
+ p.insertOpenElement(p.head)
defer p.oe.remove(p.head)
return inHeadIM(p)
case a.Head:
@@ -2308,9 +2315,13 @@ func (p *parser) parseCurrentToken() {
}
}

-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+ defer func() {
+ if panicErr := recover(); panicErr != nil {
+ err = fmt.Errorf("%s", panicErr)
+ }
+ }()
// Iterate until EOF. Any other error will cause an early return.
- var err error
for err != io.EOF {
// CDATA sections are allowed only in foreign content.
n := p.oe.top()
@@ -2339,6 +2350,8 @@ func (p *parser) parse() error {
// <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
// with no corresponding node in the resulting tree.
//
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
// The input is assumed to be UTF-8 encoded.
func Parse(r io.Reader) (*Node, error) {
return ParseWithOptions(r)
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/cri-o/cri-o.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
# Define macros for further referenced sources
Name: cri-o
Version: 1.22.3
Release: 19%{?dist}
Release: 20%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -81,6 +81,7 @@ Patch25: CVE-2025-58058.patch
Patch26: CVE-2025-58183.patch
Patch27: CVE-2025-65637.patch
Patch28: CVE-2025-11065.patch
Patch29: CVE-2025-47911.patch
BuildRequires: btrfs-progs-devel
BuildRequires: device-mapper-devel
BuildRequires: fdupes
Expand Down Expand Up @@ -231,6 +232,9 @@ mkdir -p /opt/cni/bin
%{_fillupdir}/sysconfig.kubelet

%changelog
* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.22.3-20
- Patch for CVE-2025-47911

* Tue Feb 03 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.22.3-19
- Patch for CVE-2025-11065

Expand Down
Loading