Skip to content

[AutoPR- Security] Patch gh for CVE-2025-47911 [MEDIUM] #15902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LeoMar4 merged 2 commits into from
Feb 19, 2026
+106 −4
Merged

[AutoPR- Security] Patch gh for CVE-2025-47911 [MEDIUM] #15902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
51d1acf
Patch gh for CVE-2025-47911
azurelinux-security Feb 18, 2026
90e377e
Refactor prep section in gh.spec
Kanishk-Bansal Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions SPECS/gh/CVE-2025-47911.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
From fdf20550de48f3ed89d37ca47e5836eef14c5792 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 29 Sep 2025 16:33:18 -0700
Subject: [PATCH] html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
---
vendor/golang.org/x/net/html/escape.go | 2 +-
vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++----
2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
index d856139..8edd4c4 100644
--- a/vendor/golang.org/x/net/html/escape.go
+++ b/vendor/golang.org/x/net/html/escape.go
@@ -218,7 +218,7 @@ func escape(w writer, s string) error {
case '\r':
esc = "&#13;"
default:
- panic("unrecognized escape character")
+ panic("html: unrecognized escape character")
}
s = s[i+1:]
if _, err := w.WriteString(esc); err != nil {
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index cb012d8..5ee787f 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
}

if n.Type == ElementNode {
- p.oe = append(p.oe, n)
+ p.insertOpenElement(n)
+ }
+}
+
+func (p *parser) insertOpenElement(n *Node) {
+ p.oe = append(p.oe, n)
+ if len(p.oe) > 512 {
+ panic("html: open stack of elements exceeds 512 nodes")
}
}

@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
p.im = inFramesetIM
return true
case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
- p.oe = append(p.oe, p.head)
+ p.insertOpenElement(p.head)
defer p.oe.remove(p.head)
return inHeadIM(p)
case a.Head:
@@ -2308,9 +2315,13 @@ func (p *parser) parseCurrentToken() {
}
}

-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+ defer func() {
+ if panicErr := recover(); panicErr != nil {
+ err = fmt.Errorf("%s", panicErr)
+ }
+ }()
// Iterate until EOF. Any other error will cause an early return.
- var err error
for err != io.EOF {
// CDATA sections are allowed only in foreign content.
n := p.oe.top()
@@ -2339,6 +2350,8 @@ func (p *parser) parse() error {
// <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
// with no corresponding node in the resulting tree.
//
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
// The input is assumed to be UTF-8 encoded.
func Parse(r io.Reader) (*Node, error) {
return ParseWithOptions(r)
--
2.45.4

10 changes: 6 additions & 4 deletions SPECS/gh/gh.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: GitHub official command line tool
Name: gh
Version: 2.13.0
Release: 25%{?dist}
Release: 26%{?dist}
License: MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -33,6 +33,7 @@ Patch1: CVE-2021-43565.patch
Patch2: CVE-2022-32149.patch
Patch3: CVE-2024-54132.patch
Patch4: CVE-2024-45338.patch
Patch5: CVE-2025-47911.patch

BuildRequires: golang
BuildRequires: git
Expand All @@ -44,9 +45,7 @@ Requires: git
GitHub official command line tool.

%prep
%setup -q -n cli-%{version}
tar --no-same-owner -xf %{SOURCE1}
%autopatch -p1
%autosetup -p1 -n cli-%{version} -a1

%build
export GOPATH=%{our_gopath}
Expand Down Expand Up @@ -77,6 +76,9 @@ make test
%{_datadir}/zsh/site-functions/_gh

%changelog
* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.13.0-26
- Patch for CVE-2025-47911

* Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 2.13.0-25
- Bump release to rebuild with golang

Expand Down
Loading