From 1ab4b3fd8b4588416332a69fc691c36d5ce27e6d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 Feb 2021 02:39:28 -0500 Subject: [PATCH] import nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97 --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...1-Disable-running-gyp-on-shared-deps.patch | 15 ++- ...ess-NPM-message-to-run-global-update.patch | 15 ++- ...ICU-data-from-with-icu-default-data-.patch | 24 ++--- ...8n-prototype-pollution-vulnerability.patch | 13 +++ ...o-not-allow-invalid-hazardous-string.patch | 99 +++++++++++++++++++ SPECS/nodejs.spec | 36 +++++-- 8 files changed, 165 insertions(+), 41 deletions(-) create mode 100644 SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch create mode 100644 SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch diff --git a/.gitignore b/.gitignore index 2342a22..0898cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-64_2-src.tgz -SOURCES/node-v10.21.0-stripped.tar.gz +SOURCES/node-v10.23.1-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index be7ac38..88bcbc8 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz -50f10207f2286ca63abd4f351808dc606891d90b SOURCES/node-v10.21.0-stripped.tar.gz +21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 79cbc7e..51d360f 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,19 +1,18 @@ -From def28d29f907050d8bcd94ed2e341d128ffa3fa6 Mon Sep 17 00:00:00 2001 +From 2cd4c12776af3da588231d3eb498e6451c30eae5 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 27 Apr 2017 14:25:42 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile -index 5fc2bb0c58f5532044a14e9f9595b2316f562726..f1c1545caa220d7442d6d92c49412ec7554de123 100644 +index 73feb4c..45bbceb 100644 --- a/Makefile +++ b/Makefile -@@ -121,14 +121,13 @@ with-code-cache: - - .PHONY: test-code-cache +@@ -123,10 +123,9 @@ with-code-cache: test-code-cache: with-code-cache $(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache @@ -27,8 +26,6 @@ index 5fc2bb0c58f5532044a14e9f9595b2316f562726..f1c1545caa220d7442d6d92c49412ec7 $(PYTHON) tools/gyp_node.py -f make config.gypi: configure configure.py - @if [ -x config.status ]; then \ - ./config.status; \ -- -2.19.0 +2.26.2 diff --git a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch index fd54ee2..e1b721f 100644 --- a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch +++ b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch @@ -1,20 +1,19 @@ -From ab6c18fd9aba942bee3f2f8030273c846b6025a6 Mon Sep 17 00:00:00 2001 +From e7afb2d6e2a6c8f9c9c32e12a10c3c5c4902a251 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 May 2018 08:05:30 -0400 -Subject: [PATCH 2/2] Suppress NPM message to run global update +Subject: [PATCH] Suppress NPM message to run global update Signed-off-by: Stephen Gallagher +Signed-off-by: rpm-build --- deps/npm/bin/npm-cli.js | 54 ----------------------------------------- 1 file changed, 54 deletions(-) diff --git a/deps/npm/bin/npm-cli.js b/deps/npm/bin/npm-cli.js -index 6f76b23828531e7af98a7e3cd7d5abfaac09b40c..98edb6f45fe073e03794a2ae6e7aa7f5500723ee 100755 +index c0d9be0..0f0892e 100755 --- a/deps/npm/bin/npm-cli.js +++ b/deps/npm/bin/npm-cli.js -@@ -67,69 +67,15 @@ - if (conf.usage && npm.command !== 'help') { - npm.argv.unshift(npm.command) +@@ -71,65 +71,11 @@ npm.command = 'help' } @@ -80,8 +79,6 @@ index 6f76b23828531e7af98a7e3cd7d5abfaac09b40c..98edb6f45fe073e03794a2ae6e7aa7f5 npm.commands[npm.command](npm.argv, function (err) { // https://genius.com/Lin-manuel-miranda-your-obedient-servant-lyrics if ( - !err && - npm.config.get('ham-it-up') && -- -2.19.0 +2.26.2 diff --git a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch index 667d6af..14d39ae 100644 --- a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch +++ b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch @@ -1,8 +1,7 @@ -From 9ca4d4aeccf50e6c036e5536ef070a09c1776817 Mon Sep 17 00:00:00 2001 +From 0028cc74dac4dd24b8599ade85cb49fdafa9f559 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Fri, 6 Dec 2019 16:40:25 -0500 -Subject: [PATCH 3/3] build: auto-load ICU data from - --with-icu-default-data-dir +Subject: [PATCH] build: auto-load ICU data from --with-icu-default-data-dir When compiled with `--with-intl=small` and `--with-icu-default-data-dir=PATH`, Node.js will use PATH as a @@ -28,6 +27,7 @@ the associated storage costs). Refs: https://github.com/nodejs/node/issues/3460 Signed-off-by: Stephen Gallagher +Signed-off-by: rpm-build --- configure.py | 9 +++++++++ node.gypi | 7 +++++++ @@ -35,13 +35,13 @@ Signed-off-by: Stephen Gallagher 3 files changed, 36 insertions(+) diff --git a/configure.py b/configure.py -index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371c061edab 100755 +index 89f7bf5..d611a88 100755 --- a/configure.py +++ b/configure.py @@ -433,6 +433,14 @@ intl_optgroup.add_option('--with-icu-source', 'the icu4c source archive. ' 'v%d.x or later recommended.' % icu_versions['minimum_icu']) - + +intl_optgroup.add_option('--with-icu-default-data-dir', + action='store', + dest='with_icu_default_data_dir', @@ -53,7 +53,7 @@ index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371 parser.add_option('--with-ltcg', action='store_true', dest='with_ltcg', -@@ -1360,6 +1368,7 @@ def configure_intl(o): +@@ -1359,6 +1367,7 @@ def configure_intl(o): locs.add('root') # must have root o['variables']['icu_locales'] = string.join(locs,',') # We will check a bit later if we can use the canned deps/icu-small @@ -62,7 +62,7 @@ index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371 # full ICU o['variables']['v8_enable_i18n_support'] = 1 diff --git a/node.gypi b/node.gypi -index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2580badfb 100644 +index 466a174..65b97d6 100644 --- a/node.gypi +++ b/node.gypi @@ -113,6 +113,13 @@ @@ -80,16 +80,16 @@ index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2 }], [ 'node_use_bundled_v8=="true" and \ diff --git a/src/node.cc b/src/node.cc -index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08eb1f56f78 100644 +index 7c01187..c9840e3 100644 --- a/src/node.cc +++ b/src/node.cc @@ -92,6 +92,7 @@ - + #if defined(NODE_HAVE_I18N_SUPPORT) #include +#include #endif - + #if defined(LEAK_SANITIZER) @@ -2643,6 +2644,25 @@ void Init(std::vector* argv, // If the parameter isn't given, use the env variable. @@ -117,6 +117,6 @@ index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08e // Initialize ICU. // If icu_data_dir is empty here, it will load the 'minimal' data. if (!i18n::InitializeICUDirectory(per_process_opts->icu_data_dir)) { --- -2.24.1 +-- +2.26.2 diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch new file mode 100644 index 0000000..88a9d75 --- /dev/null +++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch @@ -0,0 +1,13 @@ +diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js +index d720681628..727362aac0 100644 +--- a/deps/npm/node_modules/y18n/index.js ++++ b/deps/npm/node_modules/y18n/index.js +@@ -11,7 +11,7 @@ function Y18N (opts) { + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch new file mode 100644 index 0000000..b7270a0 --- /dev/null +++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch @@ -0,0 +1,99 @@ +From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index e1a6e02..e0b85f4 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -13,7 +13,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -24,8 +24,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 10 -%global nodejs_minor 21 -%global nodejs_patch 0 +%global nodejs_minor 23 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 64 @@ -57,7 +57,7 @@ # http-parser - from deps/http_parser/http_parser.h %global http_parser_major 2 %global http_parser_minor 9 -%global http_parser_patch 3 +%global http_parser_patch 4 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch} # libuv - from deps/uv/include/uv/version.h @@ -94,7 +94,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 4 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # In order to avoid needing to keep incrementing the release version for the @@ -103,7 +103,7 @@ # base npm version number is increasing. %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} -# brotli - from deps/brotli/common/version.h +# brotli - from deps/brotli/c/common/version.h # v10.x doesn't have --shared-brotli configure option, so we have to bundle it %global brotli_major 1 %global brotli_minor 0 @@ -146,6 +146,12 @@ Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch # https://github.com/nodejs/node/pull/30825 Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch +# CVE-2020-7774 +Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch + +# CVE-2020-7788 +Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch + BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -619,17 +625,29 @@ end %changelog +* Mon Jan 18 2021 Zuzana Svetlikova - 1:10.23.1-1 +- January Security release +- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ +- Rebase to 10.23.1 +- Resolves: RHBZ#1916461, RHBZ#1914789 +- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459 +- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388 +- Remove dot-prop patch, as it is fixed by npm rebase + +* Tue Sep 22 2020 Jan Staněk - 1:10.22.1-1 +- Security rebase to 10.22.1 + * Wed Jun 17 2020 Zuzana Svetlikova - 1:10.21.0-3 -- Resolves: RHBZ#1845306 +- Resolves: RHBZ#1845307 - Remove brotli-devel requires from nodejs-devel * Tue Jun 16 2020 Zuzana Svetlikova - 1:10.21.0-2 -- Resolves: RHBZ#1845306 +- Resolves: RHBZ#1845307 - Turn off debug builds * Mon Jun 15 2020 Zuzana Svetlikova - 1:10.21.0-1 - Security update to 10.21.0 -- Resolves: RHBZ#1845306 +- Resolves: RHBZ#1845307 - Fixes CVE-2020-11080, CVE-2020-8174, CVE-2020-10531 - Bundle brotli, because --shared-brotli configure option is missing - Add i18n subpackage