diff --git a/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch b/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch new file mode 100644 index 0000000..c838a4f --- /dev/null +++ b/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch @@ -0,0 +1,63 @@ +From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001 +From: Takayuki Sato +Date: Tue, 20 Jul 2021 14:46:33 +0900 +Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from + CVE-2021-35065 (#49) + +Signed-off-by: rpm-build +--- + node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js +index 09e257e..b182190 100644 +--- a/node_modules/glob-parent/index.js ++++ b/node_modules/glob-parent/index.js +@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32'; + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; + +@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) { + } + + // special case for strings ending in enclosure containing path separator +- if (enclosure.test(str)) { ++ if (isEnclosure(str)) { + str += slash; + } + +@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) { + // remove escape chars and return result + return str.replace(escaped, '$1'); + }; ++ ++ ++function isEnclosure(str) { ++ var lastChar = str.slice(-1) ++ ++ var enclosureStart; ++ switch (lastChar) { ++ case '}': ++ enclosureStart = '{'; ++ break; ++ case ']': ++ enclosureStart = '['; ++ break; ++ default: ++ return false; ++ } ++ ++ var foundIndex = str.indexOf(enclosureStart); ++ if (foundIndex < 0) { ++ return false; ++ } ++ ++ return str.slice(foundIndex + 1, -1).includes(slash); ++} +-- +2.39.2 + diff --git a/nodejs-nodemon.spec b/nodejs-nodemon.spec index a7ef5bb..079c973 100644 --- a/nodejs-nodemon.spec +++ b/nodejs-nodemon.spec @@ -6,12 +6,14 @@ Name: nodejs-%{npm_name} Version: 2.0.20 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT URL: https://www.npmjs.com/package/nodemon Source0: %{npm_name}-v%{version}-bundled.tar.gz +Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch + BuildRequires: nodejs-devel BuildRequires: nodejs-packaging BuildRequires: npm @@ -47,7 +49,7 @@ replacement wrapper for node, think of it as replacing the word "node" on the command line when you run your script. %prep -%setup -q -n package +%autosetup -p1 -n package %build @@ -73,6 +75,10 @@ npm run test %{_bindir}/nodemon %changelog +* Mon Mar 20 2023 Zuzana Svetlikova - 2.0.20-2 +- Patch bundled glob-parent +- Resolves: CVE-2021-35065 + * Wed Nov 09 2022 Jan Staněk - 2.0.20-1 - Rebase to 2.0.20 Resolves: CVE-2022-3517