Update to libuv 1.48.0

https://github.com/libuv/libuv/releases/tag/v1.48.0

Resolves: CVE-2024-24806

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

.gitignore

@@ -83,3 +83,5 @@ libuv-v*/
 /libuv-v1.44.2.tar.gz
 /libuv-v1.45.0.tar.gz
 /libuv-v1.46.0.tar.gz
+/libuv-v1.47.0.tar.gz
+/libuv-v1.48.0.tar.gz

0001-unix-ignore-ifaddrs-with-NULL-ifa_addr-4218.patch

@@ -0,0 +1,33 @@
+From b963f0a75bd6c95fbfa0ac17e46ab1f9d1a787c4 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 14 Nov 2023 04:23:28 -0500
+Subject: [PATCH 1/2] unix: ignore ifaddrs with NULL ifa_addr (#4218)
+
+Passing this to uv__is_ipv6_link_local() is causing a segmentation
+fault. Note that the documentation for getifaddrs() explicitly states
+that this value may be NULL.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/unix/tcp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/unix/tcp.c b/src/unix/tcp.c
+index a6b53e5913271d0c83e1d7f7e4cb8140f5f3936d..29f4532e747db50146a8b821389f4d45304c5cd0 100644
+--- a/src/unix/tcp.c
++++ b/src/unix/tcp.c
+@@ -233,8 +233,9 @@ static int uv__ipv6_link_local_scope_id(void) {
+     return 0;
+ 
+   for (p = ifa; p != NULL; p = p->ifa_next)
+-    if (uv__is_ipv6_link_local(p->ifa_addr))
+-      break;
++    if (p->ifa_addr != NULL)
++      if (uv__is_ipv6_link_local(p->ifa_addr))
++        break;
+ 
+   rv = 0;
+   if (p != NULL) {
+-- 
+2.41.0
+

0002-test-check-if-ipv6-link-local-traffic-is-routable.patch

@@ -0,0 +1,58 @@
+From 21e403424060d71e97ee1ef328288fdb9d24a191 Mon Sep 17 00:00:00 2001
+From: Ben Noordhuis <info@bnoordhuis.nl>
+Date: Tue, 14 Nov 2023 10:58:02 +0100
+Subject: [PATCH 2/2] test: check if ipv6 link-local traffic is routable
+
+Fixes: https://github.com/libuv/libuv/issues/4211
+---
+ test/test-tcp-connect6-error.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/test/test-tcp-connect6-error.c b/test/test-tcp-connect6-error.c
+index 1e6d7c78da999d5d6d1f5e1e57646e34aba4a33b..dc2fce82f8958ac5afaeafafa8f2efccf2a1e1ec 100644
+--- a/test/test-tcp-connect6-error.c
++++ b/test/test-tcp-connect6-error.c
+@@ -23,6 +23,7 @@
+ #include "task.h"
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
+ 
+ 
+ static int connect_cb_called = 0;
+@@ -75,9 +76,13 @@ TEST_IMPL(tcp_connect6_error_fault) {
+ 
+ 
+ TEST_IMPL(tcp_connect6_link_local) {
++  uv_interface_address_t* ifs;
++  uv_interface_address_t* p;
+   struct sockaddr_in6 addr;
+   uv_connect_t req;
+   uv_tcp_t server;
++  int ok;
++  int n;
+ 
+   if (!can_ipv6())
+     RETURN_SKIP("IPv6 not supported");
+@@ -90,6 +95,18 @@ TEST_IMPL(tcp_connect6_link_local) {
+   RETURN_SKIP("Test does not currently work in QEMU");
+ #endif  /* defined(__QEMU__) */
+ 
++  /* Check there's an interface that routes link-local (fe80::/10) traffic. */
++  ASSERT_OK(uv_interface_addresses(&ifs, &n));
++  for (p = ifs; p < &ifs[n]; p++)
++    if (p->address.address6.sin6_family == AF_INET6)
++      if (!memcmp(&p->address.address6.sin6_addr, "\xfe\x80", 2))
++        break;
++  ok = (p < &ifs[n]);
++  uv_free_interface_addresses(ifs, n);
++
++  if (!ok)
++    RETURN_SKIP("IPv6 link-local traffic not supported");
++
+   ASSERT_OK(uv_ip6_addr("fe80::0bad:babe", 1337, &addr));
+   ASSERT_OK(uv_tcp_init(uv_default_loop(), &server));
+ 
+-- 
+2.41.0
+

0003-test_fs.c-Fix-issue-on-32-bit-systems-using-btrfs.patch

@@ -0,0 +1,34 @@
+From 3d10efa49dc063831787bc01501ab946f6d91282 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Thu, 16 Nov 2023 10:00:20 -0500
+Subject: [PATCH 3/3] test_fs.c: Fix issue on 32-bit systems using btrfs
+
+On Fedora's build system, the build environment runs on btrfs. This
+revealed a bug in the test on i686 systems, where this comparison was
+being performed as a comparison of two signed integers, but the
+filesystem type of btrfs happens to use the higher-order bits, resulting
+in it appearing as a negative value.
+
+BTRFS_SUPER_MAGIC     0x9123683e
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ test/test-fs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test/test-fs.c b/test/test-fs.c
+index 1acdc5c67082c7ea4f579f25af82cd9bd3fefc71..ab8a9e07ccea95493e479703a07bebca5e29be30 100644
+--- a/test/test-fs.c
++++ b/test/test-fs.c
+@@ -343,7 +343,7 @@ static void statfs_cb(uv_fs_t* req) {
+   defined(__OpenBSD__) || defined(__NetBSD__)
+   ASSERT_OK(stats->f_type);
+ #else
+-  ASSERT_GT(stats->f_type, 0);
++  ASSERT_UINT64_GT(stats->f_type, 0);
+ #endif
+ 
+   ASSERT_GT(stats->f_bsize, 0);
+-- 
+2.41.0
+

libuv-v1.46.0.tar.gz.sign

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEYS8OrZQBYiN530QC8ow8jaM8A74FAmSfH78ACgkQ8ow8jaM8
-A75O6Q//eh0rFOJSaFQcLAVAuvjJR6VZkNYHEjgiuG603Bls/f9UTl3VhuktQeik
-kJTjIv3+bP0BNCXM4Dmtc4eeItVmCLKSfGsspt095HxjQlYA5O+gPqJN4htEoBPf
-6YgCLGcN0I0+6DecuouXov0SjnsBj0soicFvbd1DlZdTOwJdb+TGsszVWDPn4aY2
-dRo4sI1jTMbRKkMJI6tS6hZbnDzDGC8tUyqCFCXCe9dCTXo/jZIAhBVvxxZwgqaN
-zPN57/JBuWDb7bTo1+vpd5cVEO5koImYZ0ZCWXv0SE7T9DzIxK2Hd62wQsE2sLBh
-rmMgi1WBtFZf+n/mZPF0lgWYI998vAIstv+fdPmrxoZJLez4GTkYeU+cqoIKRzfs
-NUBbeDCVSGXAFANWtLVeVgm7Lf42rpQUXceZb2Lol+ZUkNOueNgW7jAAPUNDQn+r
-Mn/+9jgWfZhHwAJMSC+HZBhcytf3eMIxh/+97YvEx2WO4qNN51InaXbNrL7XvLN7
-XXRaRljJ4bEY/p7TKdbjKELcq2dcycBRKVzQUyswN9NraUU/nOJh4G/EVFCpCGAD
-c7zUB6OUoQiq8fyvra3sDOCzWllyiqhzl4mX6guYh+W4Xeo3PRiwRVVNh53+QWvE
-++3YIPNTcvfu2okzWCrXWp13f9cLYsLGtuVtR0HGyGpQ0va4yDk=
-=MIjS
------END PGP SIGNATURE-----

libuv-v1.47.0.tar.gz.sign

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEz7ucqaW+r9cOKzxaeaZ8VaNnnIsFAmVJLkMACgkQeaZ8VaNn
+nIulpw/+PDclC7vdL8iYxgPIcUrkktfeg2bNLreuh8X18vl+9pkm6L2pyHD5oczm
+SOuH7l5XWSWUU9TcFH57TMb79e4PQLGQ66+8jNkNb9GDHu4ccKi0Zbke5MXscUsZ
+EaG4pjpIOcmE0UopVpIh0qfAli3pO31xJzymAh0/Wz8bWwQ415VEpkAJ+N9a1bWa
+Lztf0VfKNjoT5omSuxJ0xwfbc8msDnivY9fKbaHOWLeUkZ7sZ9CBbVAixCfEvGil
+81imUmKpNVHjMw1+k0Z7Fw2VrFi7sPh1uOVUuKGImN7ga/tfZscLLNtH+oE3JjIw
+Kg2qQDM4VU620SsXYywLZEOsuavzadbOK/2PqBNYVsZ1YOToAItaaNaXmLCVEUla
+7t4Dq9W+aR7dtsgcvbS8hEc7goBvMYYLJ6h+Lf/YCTlkDxaKciDGxTEmGsPikbxk
+kVjAmW6y1LHiHMw8Ob4DKuv+RMo5oH12ouN8SdSlV8xKyM+Toysv/bwynsC+92Xv
+3M0EcVbj32c/9At8xfi1eRFXDPNC3Tu6ibh4qch0Jm9sgJIrzEEKmgR+f+uqAg07
+gHVCQMma+Sch+6sUt8/sM1+2r+Epol0/6L5hsstrnLiUVGIyrTawzq6VJFXmc7vA
+pxEgUBl/ff2tRS/RlqSNb5YIbIRo0hccuG0qepgMCeahl/UVS/k=
+=URgL
+-----END PGP SIGNATURE-----

libuv-v1.48.0.tar.gz.sign

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEYS8OrZQBYiN530QC8ow8jaM8A74FAmXD5iAACgkQ8ow8jaM8
+A77Erw/+KSsWKi47qakBDtkjOsUY/PmvX9nPQn1wHvwABWSx/8vNkAjcENbAkEuX
+U4gM2kqjyoe12tRhvVwriHYbRgIAkjkcRPYM1eAib7RT47fm7nGD3pPFoTylQCxH
+sk+cJuWKTvEXqzDaUKG9nTx3WXU869Tq4T35a8PD7qTqfKnWIRI/xalyPd4b7RUT
+/CURuvLrNH2UDwNFk7qF+So07TfABWbqNzdACV4+N+RyyJdy7/ct6LYIwy+ltwB/
+1R0dGkGyaMN0YFB/5rMLKH5Qy0dHjGV+MOmnEGp/JhPLvJGSHZZr8FXs8q+VUgrB
+PogI74wWul83mRCFE0JDGPNeuDvDqUPKxcH1OhjVlkC/gwslHgQgui0fz+TKJSHj
+dTXZu+R8rYULn+wgPCR3ND2xTayFS/AQejmLHPk9dfAGGlZGJOjw8IIMh70tts6V
+hX3dGybLvKFOGFKZzx1TSJQOB3+tkkjgFPVzDRXm50w5YS2IH7sWoP2KUa4XmdMG
+ymknB6PE5zhP/HfsfOL5vAcpCYkRb19YvActbfC8/kV+/Rid4r1jIC86HhuzFXYf
+oCBTKQ5xN7SphhGNMOYPoYKCV8ttHYsuOVs9ZkV9OCTfMVJOy1o8/31YP27G4SDi
+KrfPD/q1jP1g6qV5NQBDbuzDBgKWGr+YwjPmPR6f3QK4oB0TnLU=
+=6mql
+-----END PGP SIGNATURE-----

libuv.spec

@@ -1,9 +1,15 @@
-# Run the tests by default
-%bcond_without tests
+# Run the tests by default on Fedora
+# Some of the network tests fail on RHEL/CentOS Stream due to the network
+# configuration on the builders
+%if 0%{?rhel}
+%bcond tests 0
+%else
+%bcond tests 1
+%endif
 
 Name:           libuv
 Epoch:          1
-Version:        1.46.0
+Version:        1.48.0
 Release:        %autorelease
 Summary:        Platform layer for node.js
 
@@ -11,7 +17,7 @@ Summary:        Platform layer for node.js
 # Documentation is CC-BY-4.0
 # src/inet.c is ISC
 # include/uv/tree.h is BSD-2-Clause
-License:        MIT and CC-BY-4.0 and ISC AND BSD-2-Clause
+License:        MIT AND CC-BY-4.0 AND ISC AND BSD-2-Clause
 URL:            http://libuv.org/
 Source0:        http://dist.libuv.org/dist/v%{version}/libuv-v%{version}.tar.gz
 Source1:        https://dist.libuv.org/dist/v%{version}/%{name}-v%{version}.tar.gz.sign
@@ -43,6 +49,8 @@ differences in this library.
 %package devel
 Summary:        Development libraries for libuv
 Requires:       %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Requires:       %{name}-static%{?_isa} = %{epoch}:%{version}-%{release}
+
 
 %description devel
 Development libraries for libuv
@@ -57,7 +65,7 @@ Static library (.a) version of libuv.
 
 %prep
 gpgv2 --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
-%autosetup -n %{name}-v%{version} 
+%autosetup -n %{name}-v%{version} -p1
 
 %build
 %if %{with tests}
@@ -85,8 +93,8 @@ rm %{buildroot}/%{_docdir}/libuv/LICENSE-extra
 
 %check
 %if %{with tests}
-env UV_TEST_TIMEOUT_MULTIPLIER=3 ./%{__cmake_builddir}/uv_run_tests
-env UV_TEST_TIMEOUT_MULTIPLIER=3 ./%{__cmake_builddir}/uv_run_tests_a
+env UV_TEST_TIMEOUT_MULTIPLIER=10 ./%{__cmake_builddir}/uv_run_tests
+env UV_TEST_TIMEOUT_MULTIPLIER=10 ./%{__cmake_builddir}/uv_run_tests_a
 %endif
 
 

sources

@@ -1 +1 @@
-SHA512 (libuv-v1.46.0.tar.gz) = 41b5606bd4575e1fd1a3a275d00e0bafdef0f43f251c9a032c49ab03134f50fb361e7f355ac0b34dd35959b3b0d29faf1aa7411002f430e3b0d78935a366b3da
+SHA512 (libuv-v1.48.0.tar.gz) = 7ae3a4c02f654a26056db1541e52ccc4c54aaea39c33585f0cf6949af997d0a0a29f30a294c8df6e92f6f6af7ce64c2766b1a2cc67f342e3e139cd55b7326c94