Compare commits

...

No commits in common. "c8-stream-12" and "c9" have entirely different histories.

4 changed files with 115 additions and 32 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -1 +1 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz 9c1f8b52a985325e94aa5128c301d8262574b5e8 SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0 %global enable_tests 0
Name: nodejs-%{npm_name} Name: nodejs-%{npm_name}
Version: 2.0.3 Version: 2.0.20
Release: 1%{?dist} Release: 3%{?dist}
Summary: Simple monitor script for use during development of a node.js app Summary: Simple monitor script for use during development of a node.js app
License: MIT License: MIT
URL: https://github.com/remy/nodemon URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging BuildRequires: nodejs-packaging
BuildRequires: npm BuildRequires: npm
@ -19,35 +21,23 @@ BuildRequires: npm
ExclusiveArch: %{nodejs_arches} noarch ExclusiveArch: %{nodejs_arches} noarch
BuildArch: noarch BuildArch: noarch
%if 0%{?enable_tests}
BuildRequires: npm(async)
BuildRequires: npm(coffee-script)
BuildRequires: npm(husky)
BuildRequires: npm(istanbul)
BuildRequires: npm(jscs)
BuildRequires: npm(mocha)
BuildRequires: npm(proxyquire)
BuildRequires: npm(semantic-release)
BuildRequires: npm(should)
%endif
%description %description
Simple monitor script for use during development of a node.js app. Simple monitor script for use during development of a node.js app.
For use during development of a node.js based application. For use during development of a node.js based application.
nodemon will watch the files in the directory in which nodemon nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically was started, and if any files change, nodemon will automatically
restart your node application. restart your node application.
nodemon does not require any changes to your code or method of nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node" replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script. on the command line when you run your script.
%prep %prep
%setup -q -n %{npm_name}-%{version} %autosetup -p1 -n package
%build %build
@ -56,14 +46,11 @@ on the command line when you run your script.
%install %install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name} cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir} mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests} %if 0%{?enable_tests}
%check %check
%nodejs_symlink_deps --check %nodejs_symlink_deps --check
@ -71,14 +58,47 @@ npm run test
%endif %endif
%files %files
%doc CODE_OF_CONDUCT.md doc faq.md README.md %doc doc README.md
%{nodejs_sitelib}/%{npm_name} %{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon %{_bindir}/nodemon
%changelog %changelog
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1 * Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-3
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247 - Patch bundled glob-parent
- Rebase to 2.0.3 - Resolves: CVE-2021-35065
* Thu Dec 08 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-2
- Record CVE fixed in the current or previous upstream versions
- Resolves: CVE-2021-44906
* Fri Nov 18 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
Resolves: CVE-2022-3517
* Wed Aug 31 2022 Jan Staněk <jstanek@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
Resolves: CVE-2022-33987 rhbz#2073156 CVE-2021-33502 CVE-2021-3807 CVE-2020-28469
Resolves: CVE-2020-7788
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.3-6
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.3-5
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.3-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri May 01 2020 Honza Horak <hhorak@redhat.com> - 2.0.3-1
- Update to 2.0.3
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1 * Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413 - Resolves: #1615413