[Bugs] [Bug 1633259] gd2: respin/ rerelease 4.1 vendor tarball to update golang.org/x/net/html/...

bugzilla at redhat.com bugzilla at redhat.com
Thu Oct 11 13:02:25 UTC 2018


https://bugzilla.redhat.com/show_bug.cgi?id=1633259



--- Comment #1 from Kaushal <kaushal at redhat.com> ---
TL;DR CVE does not affect GD2.

GD2 does not use the html.Parse() nor the golang.org/x/net/html package. And
none of the other GD2 dependencies use html.Parse() or have a dependency on
golang.org/x/net/html.

The golang.org/x/net/html package is a part of a larger repository, that also
contains the golang.org/x/net/context, which is a dependency of GD2 brought in
by GRPC.

The shipped GD2 binaries in the distro packages are not affected by the
html.Parse() CVE. In any case, even if the net/html package were used by GD2,
by default the Go build system strips out unused functions and methods from the
built binary, html.Parse() would be stripped out because it is unused.

The source tarball that contains the vendored source for golang.org/x/net/html,
has the source file that has the CVE, but it is in no way exploitable as the
source tarball doesn't have any executables that use html.Parse().

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vr1YKMzuDV&a=cc_unsubscribe


More information about the Bugs mailing list