From 7271ac2e7905da1f8524303ed912d10f9cfdff98 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Mon, 27 Mar 2023 19:06:38 +0200 Subject: [PATCH] Patch bundled glob-parent --- ...-Resolve-ReDoS-vulnerability-from-CV.patch | 63 +++++++++++++++++++ nodejs-nodemon.spec | 21 ++++--- nodemon-tarball.sh | 8 +-- sources | 2 +- 4 files changed, 80 insertions(+), 14 deletions(-) create mode 100644 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch diff --git a/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch b/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch new file mode 100644 index 0000000..c838a4f --- /dev/null +++ b/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch @@ -0,0 +1,63 @@ +From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001 +From: Takayuki Sato +Date: Tue, 20 Jul 2021 14:46:33 +0900 +Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from + CVE-2021-35065 (#49) + +Signed-off-by: rpm-build +--- + node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js +index 09e257e..b182190 100644 +--- a/node_modules/glob-parent/index.js ++++ b/node_modules/glob-parent/index.js +@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32'; + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; + +@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) { + } + + // special case for strings ending in enclosure containing path separator +- if (enclosure.test(str)) { ++ if (isEnclosure(str)) { + str += slash; + } + +@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) { + // remove escape chars and return result + return str.replace(escaped, '$1'); + }; ++ ++ ++function isEnclosure(str) { ++ var lastChar = str.slice(-1) ++ ++ var enclosureStart; ++ switch (lastChar) { ++ case '}': ++ enclosureStart = '{'; ++ break; ++ case ']': ++ enclosureStart = '['; ++ break; ++ default: ++ return false; ++ } ++ ++ var foundIndex = str.indexOf(enclosureStart); ++ if (foundIndex < 0) { ++ return false; ++ } ++ ++ return str.slice(foundIndex + 1, -1).includes(slash); ++} +-- +2.39.2 + diff --git a/nodejs-nodemon.spec b/nodejs-nodemon.spec index d61799b..7ee3c77 100644 --- a/nodejs-nodemon.spec +++ b/nodejs-nodemon.spec @@ -1,17 +1,19 @@ %{?nodejs_find_provides_and_requires} %global npm_name nodemon -# Disable until dependencies are bundled +# Disable until dependencies are met %global enable_tests 0 Name: nodejs-%{npm_name} Version: 2.0.20 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT -URL: https://github.com/remy/nodemon +URL: https://www.npmjs.com/package/nodemon Source0: %{npm_name}-v%{version}-bundled.tar.gz +Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch + BuildRequires: nodejs-devel BuildRequires: nodejs-packaging BuildRequires: npm @@ -35,7 +37,7 @@ replacement wrapper for node, think of it as replacing the word "node" on the command line when you run your script. %prep -%autosetup -n %{npm_name}-%{version} +%autosetup -p1 -n package %build @@ -44,14 +46,11 @@ on the command line when you run your script. %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} -cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name} +cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name} mkdir -p %{buildroot}%{_bindir} ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon - -#%%nodejs_symlink_deps - %if 0%{?enable_tests} %check %nodejs_symlink_deps --check @@ -59,11 +58,15 @@ npm run test %endif %files -%doc CODE_OF_CONDUCT.md doc faq.md README.md +%doc doc README.md %{nodejs_sitelib}/%{npm_name} %{_bindir}/nodemon %changelog +* Mon Mar 27 2023 Zuzana Svetlikova - 2.0.20-3 +- Patch bundled glob-parent +- Resolves: CVE-2021-35065 + * Thu Dec 08 2022 Zuzana Svetlikova - 2.0.20-2 - Record CVE fixed in the current or previous upstream versions - Resolves: CVE-2021-44906 diff --git a/nodemon-tarball.sh b/nodemon-tarball.sh index e9c1502..da0b0b2 100644 --- a/nodemon-tarball.sh +++ b/nodemon-tarball.sh @@ -1,7 +1,7 @@ #!/bin/sh version=$(rpm -q --specfile --qf='%{version}\n' nodejs-nodemon.spec | head -n1) -wget https://github.com/remy/nodemon/archive/v$version.tar.gz -tar -zxf v$version.tar.gz -cd nodemon-$version -npm install --production && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz nodemon-$version +wget https://registry.npmjs.org/nodemon/-/nodemon-$version.tgz +tar -zxf nodemon-$version.tgz +cd package +npm install --production && rm -rf Dockerfile && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz package diff --git a/sources b/sources index fa1f06b..5dd1011 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (nodemon-v2.0.20-bundled.tar.gz) = 51f71b6341dba1d6c6b02c1e44bb1aa0c8bcb43ef7319073e471884ca6b309696dc0134089f6e3a7a81999cd7da9cf89e7739a1f547d4ab45fba98bccc23256c +SHA512 (nodemon-v2.0.20-bundled.tar.gz) = 283399e33bd3467d64024e0b8568e75f520aa7bf7d615c06b154911e7edf890f7cf05c226b95d49c3066fb94e8f46e1ada7e052eae4c7ed1402552c0181ea849