as
, but the
+tokenizer emits the SelfClosingTagToken token incorrectly. When the
+parser is used to parse foreign content, this results in an incorrect
+DOM.
+
+Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
+
+Fixes golang/go#73070
+Fixes CVE-2025-22872
+
+Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
+Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
+Reviewed-by: Neal Patel ).
++ //
++ // To avoid this, we check that the last non-bracket character of the tag
++ // (z.raw.end-2) isn't the same character as the last non-quote character of
++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++ // attributes.
++ nAttrs := len(z.attr)
++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ return SelfClosingTagToken
+ }
+ return StartTagToken
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 877709f..30b2ad5 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -802,8 +802,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ if raw {
+ z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ }
+- // Look for a self-closing token like " ).
++ //
++ // To avoid this, we check that the last non-bracket character of the tag
++ // (z.raw.end-2) isn't the same character as the last non-quote character of
++ // the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++ // attributes.
++ nAttrs := len(z.attr)
++ if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ return SelfClosingTagToken
+ }
+ return StartTagToken
+--
+2.33.0
+
diff --git a/podman.spec b/podman.spec
index 3163d711d131516c69f2f201b51b2199e222f906..1b8a3f7f38bb1b35556b46a765e207fdbc8e4744 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
Name: podman
Version: 3.4.4
-Release: 8
+Release: 9
Summary: A daemonless container engine for managing Containers
Epoch: 1
License: ASL 2.0
@@ -28,6 +28,7 @@ Patch4: 0004-fix-CVE-2024-37298.patch
Patch5: 0005-Fix-CVE-2023-0778.patch
Patch6: 0006-fix-cve-2022-2989.patch
Patch7: 0007-fix-cve-2022-27649.patch
+Patch8: 0008-fix-CVE-2025-22872.patch
%description
Podman manages the entire container ecosystem which includes pods,
@@ -121,6 +122,7 @@ tar -xf %{SOURCE4}
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
%build
GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@@ -291,6 +293,9 @@ done
%{_libexecdir}/%{name}/gvproxy
%changelog
+* Thu Sep 18 2025 wang kun
".
+- if z.err == nil && z.buf[z.raw.end-2] == '/' {
++ // Look for a self-closing token (e.g.
).
++ //
++ // Originally, we did this by just checking that the last character of the
++ // tag (ignoring the closing bracket) was a solidus (/) character, but this
++ // is not always accurate.
++ //
++ // We need to be careful that we don't misinterpret a non-self-closing tag
++ // as self-closing, as can happen if the tag contains unquoted attribute
++ // values (i.e.
".
+- if z.err == nil && z.buf[z.raw.end-2] == '/' {
++ // Look for a self-closing token (e.g.
).
++ //
++ // Originally, we did this by just checking that the last character of the
++ // tag (ignoring the closing bracket) was a solidus (/) character, but this
++ // is not always accurate.
++ //
++ // We need to be careful that we don't misinterpret a non-self-closing tag
++ // as self-closing, as can happen if the tag contains unquoted attribute
++ // values (i.e.