Skip to content

[AutoPR- Security] Patch helm for CVE-2025-47911 [MEDIUM] #186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[AutoPR- Security] Patch helm for CVE-2025-47911 [MEDIUM] #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions SPECS/helm/CVE-2025-47911.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
From dbd6184100b18166e122fea4d0ca3405af7d8145 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 29 Sep 2025 16:33:18 -0700
Subject: [PATCH] html: impose open element stack size limit

The HTML specification contains a number of algorithms which are
quadratic in complexity by design. Instead of adding complicated
workarounds to prevent these cases from becoming extremely expensive in
pathological cases, we impose a limit of 512 to the size of the stack of
open elements. It is extremely unlikely that non-adversarial HTML
documents will ever hit this limit (but if we see cases of this, we may
want to make the limit configurable via a ParseOption).

Thanks to Guido Vranken and Jakub Ciolek for both independently
reporting this issue.

Fixes CVE-2025-47911
Fixes golang/go#75682

Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
---
vendor/golang.org/x/net/html/escape.go | 2 +-
vendor/golang.org/x/net/html/parse.go | 21 +++++++++++++++++----
2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
index 04c6bec..12f2273 100644
--- a/vendor/golang.org/x/net/html/escape.go
+++ b/vendor/golang.org/x/net/html/escape.go
@@ -299,7 +299,7 @@ func escape(w writer, s string) error {
case '\r':
esc = "&#13;"
default:
- panic("unrecognized escape character")
+ panic("html: unrecognized escape character")
}
s = s[i+1:]
if _, err := w.WriteString(esc); err != nil {
diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
index 5b8374b..044da77 100644
--- a/vendor/golang.org/x/net/html/parse.go
+++ b/vendor/golang.org/x/net/html/parse.go
@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
}

if n.Type == ElementNode {
- p.oe = append(p.oe, n)
+ p.insertOpenElement(n)
+ }
+}
+
+func (p *parser) insertOpenElement(n *Node) {
+ p.oe = append(p.oe, n)
+ if len(p.oe) > 512 {
+ panic("html: open stack of elements exceeds 512 nodes")
}
}

@@ -810,7 +817,7 @@ func afterHeadIM(p *parser) bool {
p.im = inFramesetIM
return true
case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
- p.oe = append(p.oe, p.head)
+ p.insertOpenElement(p.head)
defer p.oe.remove(p.head)
return inHeadIM(p)
case a.Head:
@@ -2308,9 +2315,13 @@ func (p *parser) parseCurrentToken() {
}
}

-func (p *parser) parse() error {
+func (p *parser) parse() (err error) {
+ defer func() {
+ if panicErr := recover(); panicErr != nil {
+ err = fmt.Errorf("%s", panicErr)
+ }
+ }()
// Iterate until EOF. Any other error will cause an early return.
- var err error
for err != io.EOF {
// CDATA sections are allowed only in foreign content.
n := p.oe.top()
@@ -2339,6 +2350,8 @@ func (p *parser) parse() error {
// <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
// with no corresponding node in the resulting tree.
//
+// Parse will reject HTML that is nested deeper than 512 elements.
+//
// The input is assumed to be UTF-8 encoded.
func Parse(r io.Reader) (*Node, error) {
return ParseWithOptions(r)
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/helm/helm.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Name: helm
Version: 3.14.2
Release: 9%{?dist}
Release: 10%{?dist}
Summary: The Kubernetes Package Manager
Group: Applications/Networking
License: Apache 2.0
Expand Down Expand Up @@ -30,6 +30,7 @@ Patch2: CVE-2025-32386.patch
Patch3: CVE-2025-22872.patch
Patch4: CVE-2025-53547.patch
Patch5: CVE-2025-55198.patch
Patch6: CVE-2025-47911.patch
BuildRequires: golang

%description
Expand Down Expand Up @@ -59,6 +60,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
go test -v ./cmd/helm

%changelog
* Fri Feb 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-10
- Patch for CVE-2025-47911

* Fri Sep 19 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-9
- Patch for CVE-2025-55198

Expand Down
Loading