Bugzilla – Bug 1111161
VUL-0: CVE-2018-17075: golang-org-x-net-html: Mishandle of "in frameset" causes runtime panic in html.Parse() via crafted html
Last modified: 2018-10-09 07:11:50 UTC
rh#1633041 The html package (aka x/net/html) before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of <template><object>, <template><applet>, or <template><marquee>. This is related to HTMLTreeBuilder.cpp in WebKit. References: https://bugzilla.redhat.com/show_bug.cgi?id=1633041 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17075 http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-17075.html https://bugs.chromium.org/p/chromium/issues/detail?id=829668 https://github.com/golang/go/issues/27016 https://github.com/golang/net/commit/aaf60122140d3fcf75376d319f0554393160eb50
There are no actual packages built with this: $ osc whatdependson openSUSE:Factory golang-org-x-net-html standard x86_64 golang-org-x-net-html : golang-org-x-tools $ osc whatdependson openSUSE:Factory golang-org-x-tools standard x86_64 golang-org-x-tools :