From 133b954d80ad07949bb32acc008426e2c5f36dd5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 4 Mar 2021 10:19:13 -0500 Subject: [PATCH] import nodejs-10.24.0-1.module+el8.3.0+10166+b07ac28e --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...o-not-allow-invalid-hazardous-string.patch | 99 ------------------- SPECS/nodejs.spec | 18 ++-- 4 files changed, 12 insertions(+), 109 deletions(-) delete mode 100644 SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch diff --git a/.gitignore b/.gitignore index 0898cbf..eb6e49f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-64_2-src.tgz -SOURCES/node-v10.23.1-stripped.tar.gz +SOURCES/node-v10.24.0-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 88bcbc8..fac6a06 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz -21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz +be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch deleted file mode 100644 index b7270a0..0000000 --- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +++ /dev/null @@ -1,99 +0,0 @@ -From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/ini/ini.js | 8 +++++ - deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 deps/npm/node_modules/ini/test/proto.js - -diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/deps/npm/node_modules/ini/ini.js -+++ b/deps/npm/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/deps/npm/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.29.2 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index e0b85f4..7021757 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -24,8 +24,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 10 -%global nodejs_minor 23 -%global nodejs_patch 1 +%global nodejs_minor 24 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 64 @@ -94,7 +94,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 10 +%global npm_patch 11 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # In order to avoid needing to keep incrementing the release version for the @@ -149,9 +149,7 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch # CVE-2020-7774 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch -# CVE-2020-7788 -Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch - +BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -369,7 +367,6 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ @@ -381,7 +378,6 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ --openssl-use-def-ca-store %endif @@ -625,6 +621,12 @@ end %changelog +* Wed Feb 24 2021 Zuzana Svetlikova - 1:10.24.0-1 +- Resolves: RHBZ#1932373, RHBZ#1932426 +- Resolves CVE-2021-22883 and CVE-2021-22884 +- remove -debug-nghttp2 flag (1930775) +- remove ini patch merged upstream + * Mon Jan 18 2021 Zuzana Svetlikova - 1:10.23.1-1 - January Security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/