From 859cec58820ddcd0bca2be9acfe7659a7631dd85 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Wed, 18 Feb 2026 08:32:17 +0000 Subject: [PATCH] Patch cri-o for CVE-2025-47911 --- SPECS/cri-o/CVE-2025-47911.patch | 100 +++++++++++++++++++++++++++++++ SPECS/cri-o/cri-o.spec | 6 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 SPECS/cri-o/CVE-2025-47911.patch diff --git a/SPECS/cri-o/CVE-2025-47911.patch b/SPECS/cri-o/CVE-2025-47911.patch new file mode 100644 index 00000000000..1b5782a8d8a --- /dev/null +++ b/SPECS/cri-o/CVE-2025-47911.patch @@ -0,0 +1,100 @@ +From 8dae40342c949044130b53f6f191cae0608c1296 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Mon, 29 Sep 2025 16:33:18 -0700 +Subject: [PATCH] html: impose open element stack size limit + +The HTML specification contains a number of algorithms which are +quadratic in complexity by design. Instead of adding complicated +workarounds to prevent these cases from becoming extremely expensive in +pathological cases, we impose a limit of 512 to the size of the stack of +open elements. It is extremely unlikely that non-adversarial HTML +documents will ever hit this limit (but if we see cases of this, we may +want to make the limit configurable via a ParseOption). + +Thanks to Guido Vranken and Jakub Ciolek for both independently +reporting this issue. + +Fixes CVE-2025-47911 +Fixes golang/go#75682 + +Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad +Reviewed-on: https://go-review.googlesource.com/c/net/+/709876 +Reviewed-by: Damien Neil +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch +--- + vendor/golang.org/x/net/html/escape.go | 2 +- + vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++---- + 2 files changed, 18 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go +index d856139..8edd4c4 100644 +--- a/vendor/golang.org/x/net/html/escape.go ++++ b/vendor/golang.org/x/net/html/escape.go +@@ -218,7 +218,7 @@ func escape(w writer, s string) error { + case '\r': + esc = " " + default: +- panic("unrecognized escape character") ++ panic("html: unrecognized escape character") + } + s = s[i+1:] + if _, err := w.WriteString(esc); err != nil { +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index cb012d8..5ee787f 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) { + } + + if n.Type == ElementNode { +- p.oe = append(p.oe, n) ++ p.insertOpenElement(n) ++ } ++} ++ ++func (p *parser) insertOpenElement(n *Node) { ++ p.oe = append(p.oe, n) ++ if len(p.oe) > 512 { ++ panic("html: open stack of elements exceeds 512 nodes") + } + } + +@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool { + p.im = inFramesetIM + return true + case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title: +- p.oe = append(p.oe, p.head) ++ p.insertOpenElement(p.head) + defer p.oe.remove(p.head) + return inHeadIM(p) + case a.Head: +@@ -2308,9 +2315,13 @@ func (p *parser) parseCurrentToken() { + } + } + +-func (p *parser) parse() error { ++func (p *parser) parse() (err error) { ++ defer func() { ++ if panicErr := recover(); panicErr != nil { ++ err = fmt.Errorf("%s", panicErr) ++ } ++ }() + // Iterate until EOF. Any other error will cause an early return. +- var err error + for err != io.EOF { + // CDATA sections are allowed only in foreign content. + n := p.oe.top() +@@ -2339,6 +2350,8 @@ func (p *parser) parse() error { + // s. Conversely, explicit s in r's data can be silently dropped, + // with no corresponding node in the resulting tree. + // ++// Parse will reject HTML that is nested deeper than 512 elements. ++// + // The input is assumed to be UTF-8 encoded. + func Parse(r io.Reader) (*Node, error) { + return ParseWithOptions(r) +-- +2.45.4 + diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec index d1d7ca0b4c6..69f0bd7a729 100644 --- a/SPECS/cri-o/cri-o.spec +++ b/SPECS/cri-o/cri-o.spec @@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa # Define macros for further referenced sources Name: cri-o Version: 1.22.3 -Release: 19%{?dist} +Release: 20%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -81,6 +81,7 @@ Patch25: CVE-2025-58058.patch Patch26: CVE-2025-58183.patch Patch27: CVE-2025-65637.patch Patch28: CVE-2025-11065.patch +Patch29: CVE-2025-47911.patch BuildRequires: btrfs-progs-devel BuildRequires: device-mapper-devel BuildRequires: fdupes @@ -231,6 +232,9 @@ mkdir -p /opt/cni/bin %{_fillupdir}/sysconfig.kubelet %changelog +* Wed Feb 18 2026 Azure Linux Security Servicing Account - 1.22.3-20 +- Patch for CVE-2025-47911 + * Tue Feb 03 2026 Azure Linux Security Servicing Account - 1.22.3-19 - Patch for CVE-2025-11065