From aacf86736e0e5077a0f0028fe9dad74e0c5c3c65 Mon Sep 17 00:00:00 2001
From: wang kun <wang_kun1@hoperun.com>
Date: Thu, 18 Sep 2025 11:13:03 +0800
Subject: [PATCH] fix CVE-2025-22872

---
 0008-fix-CVE-2025-22872.patch | 84 +++++++++++++++++++++++++++++++++++
 podman.spec                   |  7 ++-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 0008-fix-CVE-2025-22872.patch

diff --git a/0008-fix-CVE-2025-22872.patch b/0008-fix-CVE-2025-22872.patch
new file mode 100644
index 0000000..a5d5c7c
--- /dev/null
+++ b/0008-fix-CVE-2025-22872.patch
@@ -0,0 +1,84 @@
+html: properly handle trailing solidus in unquoted attribute value in foreign content
+The parser properly treats tags like <p a=/> as <p a="/">, but the
+tokenizer emits the SelfClosingTagToken token incorrectly. When the
+parser is used to parse foreign content, this results in an incorrect
+DOM.
+
+Thanks to Sean Ng (https://ensy.zip) for reporting this issue.
+
+Fixes golang/go#73070
+Fixes CVE-2025-22872
+
+Change-Id: I65c18df6d6244bf943b61e6c7a87895929e78f4f
+Reviewed-on: https://go-review.googlesource.com/c/net/+/661256
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+
+---
+ .../vendor/golang.org/x/net/html/token.go      | 18 ++++++++++++++++--
+ vendor/golang.org/x/net/html/token.go          | 18 ++++++++++++++++--
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/net/html/token.go b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/net/html/token.go
+index 877709f..30b2ad5 100644
+--- a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/net/html/token.go
++++ b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/net/html/token.go
+@@ -802,8 +802,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 877709f..30b2ad5 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -802,8 +802,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.33.0
+
diff --git a/podman.spec b/podman.spec
index 3163d71..1b8a3f7 100644
--- a/podman.spec
+++ b/podman.spec
@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       3.4.4
-Release:       8
+Release:       9
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@@ -28,6 +28,7 @@ Patch4:   0004-fix-CVE-2024-37298.patch
 Patch5:   0005-Fix-CVE-2023-0778.patch
 Patch6:   0006-fix-cve-2022-2989.patch
 Patch7:   0007-fix-cve-2022-27649.patch
+Patch8:   0008-fix-CVE-2025-22872.patch
 
 %description
 Podman manages the entire container ecosystem which includes pods,
@@ -121,6 +122,7 @@ tar -xf %{SOURCE4}
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@@ -291,6 +293,9 @@ done
 %{_libexecdir}/%{name}/gvproxy
 
 %changelog
+* Thu Sep 18 2025 wang kun <wang_kun1@hoperun.com> - 1:3.4.4-9
+- fix CVE-2025-22872
+
 * Thu Jan 16 2025 duyiwei <duyiwei@kylinos.cn> - 1:3.4.4-8
 - fix cve 2022-27649
 
-- 
Gitee