From 24f80b6a5f6bf199f1fcfb94f8104c19bd87af90 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 May 2023 11:26:33 +0000 Subject: [PATCH] import nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c --- .gitignore | 6 +-- .nodejs.metadata | 6 +-- ...1-Disable-running-gyp-on-shared-deps.patch | 32 ++++------- ...tr-len-check-in-config_sortlist-to-a.patch | 53 +++++++++++++++++++ SPECS/nodejs.spec | 44 ++++++++++----- 5 files changed, 100 insertions(+), 41 deletions(-) create mode 100644 SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch diff --git a/.gitignore b/.gitignore index 4e7cce7..15380cb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz -SOURCES/icu4c-71_1-src.tgz -SOURCES/node-v18.12.1-stripped.tar.gz -SOURCES/undici-5.11.0.tar.gz +SOURCES/icu4c-72_1-src.tgz +SOURCES/node-v18.14.2-stripped.tar.gz +SOURCES/undici-5.20.0.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz SOURCES/wasi-sdk-14.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 939f105..29219b1 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz -406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz -20d62c96ab85808e1043376f0d889f74eb2551df SOURCES/node-v18.12.1-stripped.tar.gz -0ea4e5cfe13969896bf41c0d2d029a621917b944 SOURCES/undici-5.11.0.tar.gz +a97546f0119c37a3526143bc29fb573a4417ff84 SOURCES/icu4c-72_1-src.tgz +f4cd3bd79f9ed923f8fd85ac75cc270a91cae6ea SOURCES/node-v18.14.2-stripped.tar.gz +0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 03590a1..046a7e3 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,29 +1,18 @@ -From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001 -From: Zuzana Svetlikova -Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH] Disable running gyp on shared deps - -Signed-off-by: rpm-build ---- - Makefile | 2 +- - node.gyp | 17 ----------------- - 2 files changed, 1 insertion(+), 18 deletions(-) - diff --git a/Makefile b/Makefile -index e0d756f..c90bfa7 100644 +index 9401346623..c9d3da24c5 100644 --- a/Makefile +++ b/Makefile -@@ -147,7 +147,7 @@ with-code-cache test-code-cache: - $(warning '$@' target is a noop) - +@@ -169,7 +169,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + out/Makefile: config.gypi common.gypi node.gyp \ - deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ + deps/llhttp/llhttp.gyp \ - tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ - tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp - $(PYTHON) tools/gyp_node.py -f make + deps/simdutf/simdutf.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp diff --git a/node.gyp b/node.gyp -index 6b3a6d9..5882cef 100644 +index cec24aed03..13af00f40d 100644 --- a/node.gyp +++ b/node.gyp @@ -429,23 +429,6 @@ @@ -41,7 +30,7 @@ index 6b3a6d9..5882cef 100644 - 'inputs': [ '<(opensslconfig)', ], - 'outputs': [ '<(opensslconfig_internal)', ], - 'action': [ -- 'python', 'tools/copyfile.py', +- '<(python)', 'tools/copyfile.py', - '<(opensslconfig)', - '<(opensslconfig_internal)', - ], @@ -50,6 +39,3 @@ index 6b3a6d9..5882cef 100644 }], ], }, # node_core_target_name --- -2.36.1 - diff --git a/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch new file mode 100644 index 0000000..69763ba --- /dev/null +++ b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch @@ -0,0 +1,53 @@ +From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid + stack overflow (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul +Resolves: CVE-2022-4904 + +Signed-off-by: rpm-build +--- + deps/cares/src/lib/ares_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/deps/cares/src/lib/ares_init.c ++++ b/deps/cares/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +-- +2.39.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 5d8f9c2..de043e0 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,7 +29,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -40,8 +40,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 12 -%global nodejs_patch 1 +%global nodejs_minor 14 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -57,7 +57,7 @@ %global v8_major 10 %global v8_minor 2 %global v8_build 154 -%global v8_patch 15 +%global v8_patch 26 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -71,10 +71,10 @@ %global llhttp_version 6.0.10 # libuv - from deps/uv/include/uv/version.h -%global libuv_version 1.43.0 +%global libuv_version 1.44.2 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.47.0 +%global nghttp2_version 1.51.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 @@ -89,7 +89,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 71 +%global icu_major 72 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -107,6 +107,12 @@ %global icu_flag full-icu %endif +# simduft from deps/simdutf/simdutf.h +%global simduft_major 2 +%global simduft_minor 0 +%global simduft_patch 7 +%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} + # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -117,7 +123,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 8.19.2 +%global npm_version 9.5.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -126,7 +132,7 @@ %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.13 +%global uvwasi_version 0.0.14 # histogram_c - assumed from timestamps %global histogram_version 0.11.2 @@ -169,15 +175,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.11.0.tar.gz -# Adjustments: rm -f undici-5.11.0/lib/llhttp/llhttp*.wasm +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz +# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm # wasi-sdk version can be found in Dockerfile # https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile -Source102: undici-5.11.0.tar.gz +Source102: undici-5.20.0.tar.gz Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch BuildRequires: make BuildRequires: python3-devel @@ -276,6 +283,7 @@ Provides: bundled(icu) = %{icu_version} # or there's no option to built it as a shared dependency, so we bundle them Provides: bundled(uvwasi) = %{uvwasi_version} Provides: bundled(histogram) = %{histogram_version} +Provides: bundled(simduft) = %{simduft_version} # Make sure we keep NPM up to date when we update Node.js Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} @@ -578,6 +586,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %doc %{_mandir}/man5/package-json.5* %doc %{_mandir}/man5/package-lock-json.5* %doc %{_mandir}/man5/npm-shrinkwrap-json.5* +%doc %{_mandir}/man5/npm-global.5.* +%doc %{_mandir}/man5/npm-json.5.* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* @@ -599,6 +609,16 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Tue Mar 21 2023 Zuzana Svetlikova - 1:18.14.2-2 +- Provide simduft +- Resolves: #2159389 + +* Mon Mar 20 2023 Zuzana Svetlikova - 1:18.14.2-1 +- Rebase to 18.14.2 +- Resolves: #2159389 +- Resolves: CVE-2022-25881, CVE-2022-4904, CVE-2023-23936, CVE-2023-24807 +- Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920 + * Wed Nov 16 2022 Zuzana Svetlikova - 1:18.12.1-1 - Rebase + CVEs - Resolves: #2142809