The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a "panic: runtime error" in parseCurrentToken in parse.go during an html.Parse call. Upstream Issue: https://github.com/golang/go/issues/27702
Created heketi tracking bugs for this issue: Affects: epel-6 [bug 1633026] Affects: fedora-all [bug 1633025] Created kompose tracking bugs for this issue: Affects: fedora-all [bug 1633024] Created origin tracking bugs for this issue: Affects: fedora-all [bug 1633023]
upstream fix: https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0
Created golang-googlecode-net tracking bugs for this issue: Affects: epel-6 [bug 1639105] Affects: fedora-all [bug 1639104]
Version packaged by RHEL (around 2014) does not seem to include the template functionality. Vulnerable behavior looks to have been introduced here, in 2017: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 Reproducer does not trigger an exception.
OpenStack OpTools 8/9 grafana versions do not include net/html, which includes the flawed code. OpenStack OpTools golang-googecode-net 9 does have the code, but this version does not support templates (which is needed for flaw exploitation).