import UBI nodejs-20.11.1-1.module+el9.3.0+21385+bac43d5a

This commit is contained in:
eabdullin 2024-04-08 08:28:19 +00:00
parent c3453334f8
commit 0057e6dce1
4 changed files with 85 additions and 17 deletions

4
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-73_2-src.tgz SOURCES/icu4c-73_2-src.tgz
SOURCES/node-v20.11.0-stripped.tar.gz SOURCES/node-v20.11.1-stripped.tar.gz
SOURCES/undici-5.27.2.tar.gz SOURCES/undici-5.28.3.tar.gz
SOURCES/wasi-sdk-11.0-linux.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz
SOURCES/wasi-sdk-16.0-linux.tar.gz SOURCES/wasi-sdk-16.0-linux.tar.gz

View File

@ -1,6 +1,6 @@
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
8b62ac9e63c605f9942a0bee294c8a98c1ca63ba SOURCES/node-v20.11.0-stripped.tar.gz 59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz
af3eca3508a818ea8e5829b2a4104f5ef7ddd5e2 SOURCES/undici-5.27.2.tar.gz b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-16.0-linux.tar.gz fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-16.0-linux.tar.gz

View File

@ -1,15 +1,77 @@
FIPS related options cause a segfault, let's end sooner From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Fri, 23 Feb 2024 13:43:56 +0100
Subject: [PATCH] Disable FIPS options
On RHEL, FIPS should be configured only on system level.
Additionally, the related options may cause segfault when used on RHEL.
This patch causes the option processing to end sooner
than the problematic code gets executed.
Additionally, the JS-level options to mess with FIPS settings
are similarly disabled.
Upstream report: https://github.com/nodejs/node/pull/48950 Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
Customer case: https://access.redhat.com/support/cases/#/case/03711488
This patch makes the part of the code that processes cmd-line options for Signed-off-by: rpm-build <rpm-build>
FIPS to end sooner before the code gets to the problematic part of the code. ---
lib/crypto.js | 10 ++++++++++
lib/internal/errors.js | 6 ++++++
src/crypto/crypto_util.cc | 2 ++
3 files changed, 18 insertions(+)
diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc diff --git a/lib/crypto.js b/lib/crypto.js
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 index 41adecc..b2627ac 100644
+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 --- a/lib/crypto.js
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { +++ b/lib/crypto.js
@@ -36,6 +36,9 @@ const {
assertCrypto();
const {
+ // RHEL specific error
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
ERR_CRYPTO_FIPS_FORCED,
ERR_WORKER_UNSUPPORTED_OPERATION,
} = require('internal/errors').codes;
@@ -251,6 +254,13 @@ function getFips() {
}
function setFips(val) {
+ // in RHEL FIPS enable/disable should only be done at system level
+ if (getFips() != val) {
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+ } else {
+ return;
+ }
+
if (getOptionValue('--force-fips')) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index a722360..04d8a53 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1060,6 +1060,12 @@ module.exports = {
//
// Note: Node.js specific errors must begin with the prefix ERR_
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+ Error);
+
E('ERR_ACCESS_DENIED',
'Access to this API has been restricted. Permission: %s',
Error);
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 5734d8f..ef9d1b1 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */ /* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto || if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) { per_process::cli_options->force_fips_crypto) {
@ -18,3 +80,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp
#if OPENSSL_VERSION_MAJOR >= 3 #if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr) if (fips_provider == nullptr)
--
2.43.2

View File

@ -44,7 +44,7 @@
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 20 %global nodejs_major 20
%global nodejs_minor 11 %global nodejs_minor 11
%global nodejs_patch 0 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 115 %global nodejs_soversion 115
@ -180,10 +180,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
# Version: jq '.version' deps/undici/src/package.json # Version: jq '.version' deps/undici/src/package.json
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.27.2.tar.gz # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
# Adjustments: rm -f undici-5.27.2/lib/llhttp/llhttp*.wasm # Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm*
# wasi-sdk version can be found in lib/llhttp/wasm_build_env.txt # wasi-sdk version can be found in lib/llhttp/wasm_build_env.txt
Source102: undici-5.27.2.tar.gz Source102: undici-5.28.3.tar.gz
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-16.0-linux.tar.gz Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-16.0-linux.tar.gz
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
@ -424,7 +424,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
export LDFLAGS="%{build_ldflags}" export LDFLAGS="%{build_ldflags}"
%{__python3} configure.py --prefix=%{_prefix} --verbose \ %{__python3} configure.py --prefix=%{_prefix} --verbose \
--shared-openssl \ --shared-openssl --openssl-conf-name=openssl_conf \
--shared-zlib \ --shared-zlib \
--shared-brotli \ --shared-brotli \
%{!?with_bundled:--shared-libuv} \ %{!?with_bundled:--shared-libuv} \
@ -634,9 +634,13 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%changelog %changelog
* Thu Feb 29 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.1-1
- Rebase to version 20.11.1
- Resolves: RHEL-26694 RHEL-26684 RHEL-26687 RHEL-26010 RHEL-26597 RHEL-26689 RHEL-26022
* Fri Jan 12 2024 Jan Staněk <jstanek@redhat.com> - 1:20.11.0-1 * Fri Jan 12 2024 Jan Staněk <jstanek@redhat.com> - 1:20.11.0-1
- Rebase to version 20.11.0 - Rebase to version 20.11.0
Resolves: RHEL-21188 Resolves: RHEL-21189
* Thu Nov 09 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.9.0-1 * Thu Nov 09 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.9.0-1
- Rebase to LTS - Rebase to LTS