import nodejs-10.24.0-1.module+el8.3.0+10166+b07ac28e
This commit is contained in:
parent
1ab4b3fd8b
commit
133b954d80
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/icu4c-64_2-src.tgz
|
SOURCES/icu4c-64_2-src.tgz
|
||||||
SOURCES/node-v10.23.1-stripped.tar.gz
|
SOURCES/node-v10.24.0-stripped.tar.gz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
|
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
|
||||||
21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz
|
be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz
|
||||||
|
@ -1,99 +0,0 @@
|
|||||||
From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: isaacs <i@izs.me>
|
|
||||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
|
||||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
|
||||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
|
||||||
2 files changed, 53 insertions(+)
|
|
||||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
|
||||||
index 590195d..0401258 100644
|
|
||||||
--- a/deps/npm/node_modules/ini/ini.js
|
|
||||||
+++ b/deps/npm/node_modules/ini/ini.js
|
|
||||||
@@ -80,6 +80,12 @@ function decode (str) {
|
|
||||||
if (!match) return
|
|
||||||
if (match[1] !== undefined) {
|
|
||||||
section = unsafe(match[1])
|
|
||||||
+ if (section === '__proto__') {
|
|
||||||
+ // not allowed
|
|
||||||
+ // keep parsing the section, but don't attach it.
|
|
||||||
+ p = {}
|
|
||||||
+ return
|
|
||||||
+ }
|
|
||||||
p = out[section] = out[section] || {}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
@@ -94,6 +100,7 @@ function decode (str) {
|
|
||||||
// Convert keys with '[]' suffix to an array
|
|
||||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
|
||||||
key = key.substring(0, key.length - 2)
|
|
||||||
+ if (key === '__proto__') return
|
|
||||||
if (!p[key]) {
|
|
||||||
p[key] = []
|
|
||||||
} else if (!Array.isArray(p[key])) {
|
|
||||||
@@ -125,6 +132,7 @@ function decode (str) {
|
|
||||||
var l = parts.pop()
|
|
||||||
var nl = l.replace(/\\\./g, '.')
|
|
||||||
parts.forEach(function (part, _, __) {
|
|
||||||
+ if (part === '__proto__') return
|
|
||||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
|
||||||
p = p[part]
|
|
||||||
})
|
|
||||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ab35533
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
|
||||||
@@ -0,0 +1,45 @@
|
|
||||||
+var ini = require('../')
|
|
||||||
+var t = require('tap')
|
|
||||||
+
|
|
||||||
+var data = `
|
|
||||||
+__proto__ = quux
|
|
||||||
+foo = baz
|
|
||||||
+[__proto__]
|
|
||||||
+foo = bar
|
|
||||||
+[other]
|
|
||||||
+foo = asdf
|
|
||||||
+[kid.__proto__.foo]
|
|
||||||
+foo = kid
|
|
||||||
+[arrproto]
|
|
||||||
+hello = snyk
|
|
||||||
+__proto__[] = you did a good job
|
|
||||||
+__proto__[] = so you deserve arrays
|
|
||||||
+thanks = true
|
|
||||||
+`
|
|
||||||
+var res = ini.parse(data)
|
|
||||||
+t.deepEqual(res, {
|
|
||||||
+ foo: 'baz',
|
|
||||||
+ other: {
|
|
||||||
+ foo: 'asdf',
|
|
||||||
+ },
|
|
||||||
+ kid: {
|
|
||||||
+ foo: {
|
|
||||||
+ foo: 'kid',
|
|
||||||
+ },
|
|
||||||
+ },
|
|
||||||
+ arrproto: {
|
|
||||||
+ hello: 'snyk',
|
|
||||||
+ thanks: true,
|
|
||||||
+ },
|
|
||||||
+})
|
|
||||||
+t.equal(res.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.kid.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
|
||||||
+t.equal(Object.prototype.foo, undefined)
|
|
||||||
+t.equal(Object.prototype[0], undefined)
|
|
||||||
+t.equal(Object.prototype['0'], undefined)
|
|
||||||
+t.equal(Object.prototype[1], undefined)
|
|
||||||
+t.equal(Object.prototype['1'], undefined)
|
|
||||||
+t.equal(Array.prototype[0], undefined)
|
|
||||||
+t.equal(Array.prototype[1], undefined)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -24,8 +24,8 @@
|
|||||||
# than a Fedora release lifecycle.
|
# than a Fedora release lifecycle.
|
||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 10
|
%global nodejs_major 10
|
||||||
%global nodejs_minor 23
|
%global nodejs_minor 24
|
||||||
%global nodejs_patch 1
|
%global nodejs_patch 0
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||||
%global nodejs_soversion 64
|
%global nodejs_soversion 64
|
||||||
@ -94,7 +94,7 @@
|
|||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_major 6
|
%global npm_major 6
|
||||||
%global npm_minor 14
|
%global npm_minor 14
|
||||||
%global npm_patch 10
|
%global npm_patch 11
|
||||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||||
|
|
||||||
# In order to avoid needing to keep incrementing the release version for the
|
# In order to avoid needing to keep incrementing the release version for the
|
||||||
@ -149,9 +149,7 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
|
|||||||
# CVE-2020-7774
|
# CVE-2020-7774
|
||||||
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
|
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
|
||||||
|
|
||||||
# CVE-2020-7788
|
BuildRequires: make
|
||||||
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
|
|
||||||
|
|
||||||
BuildRequires: python2-devel
|
BuildRequires: python2-devel
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
@ -369,7 +367,6 @@ export LDFLAGS="%{build_ldflags}"
|
|||||||
--shared-zlib \
|
--shared-zlib \
|
||||||
--without-dtrace \
|
--without-dtrace \
|
||||||
--with-intl=small-icu \
|
--with-intl=small-icu \
|
||||||
--debug-nghttp2 \
|
|
||||||
--openssl-use-def-ca-store
|
--openssl-use-def-ca-store
|
||||||
%else
|
%else
|
||||||
./configure --prefix=%{_prefix} \
|
./configure --prefix=%{_prefix} \
|
||||||
@ -381,7 +378,6 @@ export LDFLAGS="%{build_ldflags}"
|
|||||||
--with-dtrace \
|
--with-dtrace \
|
||||||
--with-intl=small-icu \
|
--with-intl=small-icu \
|
||||||
--with-icu-default-data-dir=%{icudatadir} \
|
--with-icu-default-data-dir=%{icudatadir} \
|
||||||
--debug-nghttp2 \
|
|
||||||
--openssl-use-def-ca-store
|
--openssl-use-def-ca-store
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
@ -625,6 +621,12 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
|
||||||
|
- Resolves: RHBZ#1932373, RHBZ#1932426
|
||||||
|
- Resolves CVE-2021-22883 and CVE-2021-22884
|
||||||
|
- remove -debug-nghttp2 flag (1930775)
|
||||||
|
- remove ini patch merged upstream
|
||||||
|
|
||||||
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
||||||
- January Security release
|
- January Security release
|
||||||
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
||||||
|
Loading…
Reference in New Issue
Block a user