Bug#1104789: libhtml-gumbo-perl: erratic behavior on the unsupported template HTML element - GUMBO_NODE_TEMPLATE node type

[Niko Tyni]

Control: tag -1 patch

On Tue, May 06, 2025 at 03:48:52PM +0200, Vincent Lefevre wrote:
> Package: libhtml-gumbo-perl
> Version: 0.18-4+b1
> Severity: serious
> Tags: security upstream
> Justification: security
> Forwarded: https://github.com/ruz/HTML-Gumbo/issues/6
> X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
> 
> I get erratic behavior on the template HTML element, e.g. on
> the HTML file "<template>". For instance:

> ==64955== Command: perl -C -MHTML::Gumbo -e print\ HTML::Gumbo-\>new-\>parse('\<template\>',\ format\ =\>\ 'string');
> ==64955==
> ==64955== Conditional jump or move depends on uninitialised value(s)
> ==64955==    at 0x484DC89: strlen (vg_replace_strmem.c:505)
> ==64955==    by 0x2AD7DF: ??? (in /usr/bin/perl)
> ==64955==    by 0x486D6CE: tree_to_string (Gumbo.xs:189)
> ==64955==    by 0x486E2C4: walk_tree.isra.0 (Gumbo.xs:55)
> ==64955==    by 0x486E2C4: walk_tree.isra.0 (Gumbo.xs:55)
> ==64955==    by 0x486E2C4: walk_tree.isra.0 (Gumbo.xs:55)
> ==64955==    by 0x486E41B: parse_to_string_cb (Gumbo.xs:505)

The attached change does not make HTML::Gumbo support <template>
properly but seems to plug this specific hole, and hence the
known security aspects.

I've checked that this doesn't break the (not very extensive) test
suite, and that the only reverse dependency in trixie, request-tracker5,
still builds with this.

Tentatively tagging 'patch', but eyeballs would be good.

I think full support for <template> should be a separate wishlist bug.
-- 
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-wrong-code-path-with-GUMBO_NODE_TEMPLATE.patch
Type: text/x-diff
Size: 1977 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250517/0ecd65b3/attachment-0001.patch>