-
Notifications
You must be signed in to change notification settings - Fork 587
Patch docker-buildx for CVE-2025-22872 #13859
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: 3.0-dev
Are you sure you want to change the base?
Conversation
Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
update patch file paths in SPECS/docker-buildx/CVE-2025-22872.patch from html/token.go to vendor/golang.org/x/net/html/token.go |
Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
I've updated the patch file paths in SPECS/docker-buildx/CVE-2025-22872.patch from html/token.go to vendor/golang.org/x/net/html/token.go as requested. The changes are included in commit 60c87c3. Warning Firewall rules blocked me from connecting to one or more addressesI tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Please remove vendor/golang.org/x/net/html/token_test.go from SPECS/docker-buildx/CVE-2025-22872.patch |
Co-authored-by: kgodara912 <193572699+kgodara912@users.noreply.github.com>
I've removed the vendor/golang.org/x/net/html/token_test.go file from the CVE-2025-22872.patch as requested. The patch now only includes changes to the token.go file. The changes are in commit 9c3863b. |
Summary
This PR addresses CVE-2025-22872 in the docker-buildx package by applying the upstream patch from the Go library.
Changes
Technical Details
The vulnerability occurs in the HTML tokenizer when parsing tags with trailing solidus in unquoted attribute values. The parser correctly handles tags like
<p a=/>
as<p a="/">
, but the tokenizer was emitting theSelfClosingTagToken
token incorrectly. When used to parse foreign content, this resulted in an incorrect DOM.The upstream fix improves the logic for detecting self-closing tags by checking that the last character of the tag isn't also the last character of an unquoted attribute value.
References
Warning
Firewall rules blocked me from connecting to one or more addresses
I tried to connect to the following addresses, but was blocked by firewall rules:
_https._tcp.esm.ubuntu.com
/usr/lib/apt/methods/https
(dns block)_https._tcp.motd.ubuntu.com
/usr/lib/apt/methods/https
(dns block)esm.ubuntu.com
/usr/lib/apt/methods/https
(dns block)motd.ubuntu.com
/usr/lib/apt/methods/https
(dns block)If you need me to access, download, or install something from one of these locations, you can either:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.