import nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c
This commit is contained in:
parent
ef12377d81
commit
24f80b6a5f
6
.gitignore
vendored
6
.gitignore
vendored
@ -1,6 +1,6 @@
|
|||||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
SOURCES/icu4c-71_1-src.tgz
|
SOURCES/icu4c-72_1-src.tgz
|
||||||
SOURCES/node-v18.12.1-stripped.tar.gz
|
SOURCES/node-v18.14.2-stripped.tar.gz
|
||||||
SOURCES/undici-5.11.0.tar.gz
|
SOURCES/undici-5.20.0.tar.gz
|
||||||
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
SOURCES/wasi-sdk-14.0-linux.tar.gz
|
SOURCES/wasi-sdk-14.0-linux.tar.gz
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
|
a97546f0119c37a3526143bc29fb573a4417ff84 SOURCES/icu4c-72_1-src.tgz
|
||||||
20d62c96ab85808e1043376f0d889f74eb2551df SOURCES/node-v18.12.1-stripped.tar.gz
|
f4cd3bd79f9ed923f8fd85ac75cc270a91cae6ea SOURCES/node-v18.14.2-stripped.tar.gz
|
||||||
0ea4e5cfe13969896bf41c0d2d029a621917b944 SOURCES/undici-5.11.0.tar.gz
|
0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
|
||||||
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz
|
c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz
|
||||||
|
@ -1,29 +1,18 @@
|
|||||||
From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
|
||||||
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
|
||||||
Subject: [PATCH] Disable running gyp on shared deps
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
Makefile | 2 +-
|
|
||||||
node.gyp | 17 -----------------
|
|
||||||
2 files changed, 1 insertion(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
diff --git a/Makefile b/Makefile
|
||||||
index e0d756f..c90bfa7 100644
|
index 9401346623..c9d3da24c5 100644
|
||||||
--- a/Makefile
|
--- a/Makefile
|
||||||
+++ b/Makefile
|
+++ b/Makefile
|
||||||
@@ -147,7 +147,7 @@ with-code-cache test-code-cache:
|
@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
|
||||||
$(warning '$@' target is a noop)
|
$(warning '$@' target is a noop)
|
||||||
|
|
||||||
out/Makefile: config.gypi common.gypi node.gyp \
|
out/Makefile: config.gypi common.gypi node.gyp \
|
||||||
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
|
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
|
||||||
+ deps/llhttp/llhttp.gyp \
|
+ deps/llhttp/llhttp.gyp \
|
||||||
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
deps/simdutf/simdutf.gyp \
|
||||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
||||||
$(PYTHON) tools/gyp_node.py -f make
|
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||||
diff --git a/node.gyp b/node.gyp
|
diff --git a/node.gyp b/node.gyp
|
||||||
index 6b3a6d9..5882cef 100644
|
index cec24aed03..13af00f40d 100644
|
||||||
--- a/node.gyp
|
--- a/node.gyp
|
||||||
+++ b/node.gyp
|
+++ b/node.gyp
|
||||||
@@ -429,23 +429,6 @@
|
@@ -429,23 +429,6 @@
|
||||||
@ -41,7 +30,7 @@ index 6b3a6d9..5882cef 100644
|
|||||||
- 'inputs': [ '<(opensslconfig)', ],
|
- 'inputs': [ '<(opensslconfig)', ],
|
||||||
- 'outputs': [ '<(opensslconfig_internal)', ],
|
- 'outputs': [ '<(opensslconfig_internal)', ],
|
||||||
- 'action': [
|
- 'action': [
|
||||||
- 'python', 'tools/copyfile.py',
|
- '<(python)', 'tools/copyfile.py',
|
||||||
- '<(opensslconfig)',
|
- '<(opensslconfig)',
|
||||||
- '<(opensslconfig_internal)',
|
- '<(opensslconfig_internal)',
|
||||||
- ],
|
- ],
|
||||||
@ -50,6 +39,3 @@ index 6b3a6d9..5882cef 100644
|
|||||||
}],
|
}],
|
||||||
],
|
],
|
||||||
}, # node_core_target_name
|
}, # node_core_target_name
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
@ -0,0 +1,53 @@
|
|||||||
|
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
|
||||||
|
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||||
|
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||||
|
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||||
|
stack overflow (#497)
|
||||||
|
|
||||||
|
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||||
|
the input str and initialize a sortlist configuration.
|
||||||
|
|
||||||
|
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||||
|
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||||
|
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||||
|
statements in the config_sortlist call, which could potentially cause severe
|
||||||
|
security impact in practical programs.
|
||||||
|
|
||||||
|
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||||
|
potential stack overflows.
|
||||||
|
|
||||||
|
fixes #496
|
||||||
|
|
||||||
|
Fix By: @hopper-vul
|
||||||
|
Resolves: CVE-2022-4904
|
||||||
|
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||||
|
index de5d86c..d5858f6 100644
|
||||||
|
--- a/deps/cares/src/lib/ares_init.c
|
||||||
|
+++ b/deps/cares/src/lib/ares_init.c
|
||||||
|
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||||
|
q = str;
|
||||||
|
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||||
|
q++;
|
||||||
|
+ if (q-str >= 16)
|
||||||
|
+ return ARES_EBADSTR;
|
||||||
|
memcpy(ipbuf, str, q-str);
|
||||||
|
ipbuf[q-str] = '\0';
|
||||||
|
/* Find the prefix */
|
||||||
|
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||||
|
const char *str2 = q+1;
|
||||||
|
while (*q && *q != ';' && !ISSPACE(*q))
|
||||||
|
q++;
|
||||||
|
+ if (q-str >= 32)
|
||||||
|
+ return ARES_EBADSTR;
|
||||||
|
memcpy(ipbufpfx, str, q-str);
|
||||||
|
ipbufpfx[q-str] = '\0';
|
||||||
|
str = str2;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -29,7 +29,7 @@
|
|||||||
# This is used by both the nodejs package and the npm subpackage that
|
# This is used by both the nodejs package and the npm subpackage that
|
||||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||||
# will bump this rather than adding .1 to the end.
|
# will bump this rather than adding .1 to the end.
|
||||||
%global baserelease 1
|
%global baserelease 2
|
||||||
|
|
||||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -40,8 +40,8 @@
|
|||||||
# than a Fedora release lifecycle.
|
# than a Fedora release lifecycle.
|
||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 18
|
%global nodejs_major 18
|
||||||
%global nodejs_minor 12
|
%global nodejs_minor 14
|
||||||
%global nodejs_patch 1
|
%global nodejs_patch 2
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||||
%global nodejs_soversion 108
|
%global nodejs_soversion 108
|
||||||
@ -57,7 +57,7 @@
|
|||||||
%global v8_major 10
|
%global v8_major 10
|
||||||
%global v8_minor 2
|
%global v8_minor 2
|
||||||
%global v8_build 154
|
%global v8_build 154
|
||||||
%global v8_patch 15
|
%global v8_patch 26
|
||||||
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
||||||
%global v8_abi %{v8_major}.%{v8_minor}
|
%global v8_abi %{v8_major}.%{v8_minor}
|
||||||
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
||||||
@ -71,10 +71,10 @@
|
|||||||
%global llhttp_version 6.0.10
|
%global llhttp_version 6.0.10
|
||||||
|
|
||||||
# libuv - from deps/uv/include/uv/version.h
|
# libuv - from deps/uv/include/uv/version.h
|
||||||
%global libuv_version 1.43.0
|
%global libuv_version 1.44.2
|
||||||
|
|
||||||
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
||||||
%global nghttp2_version 1.47.0
|
%global nghttp2_version 1.51.0
|
||||||
|
|
||||||
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
|
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
|
||||||
%global nghttp3_major 0
|
%global nghttp3_major 0
|
||||||
@ -89,7 +89,7 @@
|
|||||||
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
|
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
|
||||||
|
|
||||||
# ICU - from tools/icu/current_ver.dep
|
# ICU - from tools/icu/current_ver.dep
|
||||||
%global icu_major 71
|
%global icu_major 72
|
||||||
%global icu_minor 1
|
%global icu_minor 1
|
||||||
%global icu_version %{icu_major}.%{icu_minor}
|
%global icu_version %{icu_major}.%{icu_minor}
|
||||||
|
|
||||||
@ -107,6 +107,12 @@
|
|||||||
%global icu_flag full-icu
|
%global icu_flag full-icu
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# simduft from deps/simdutf/simdutf.h
|
||||||
|
%global simduft_major 2
|
||||||
|
%global simduft_minor 0
|
||||||
|
%global simduft_patch 7
|
||||||
|
%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
|
||||||
|
|
||||||
# OpenSSL minimum version
|
# OpenSSL minimum version
|
||||||
%global openssl_minimum 1:1.1.1
|
%global openssl_minimum 1:1.1.1
|
||||||
|
|
||||||
@ -117,7 +123,7 @@
|
|||||||
|
|
||||||
# npm - from deps/npm/package.json
|
# npm - from deps/npm/package.json
|
||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_version 8.19.2
|
%global npm_version 9.5.0
|
||||||
|
|
||||||
# In order to avoid needing to keep incrementing the release version for the
|
# In order to avoid needing to keep incrementing the release version for the
|
||||||
# main package forever, we will just construct one for npm that is guaranteed
|
# main package forever, we will just construct one for npm that is guaranteed
|
||||||
@ -126,7 +132,7 @@
|
|||||||
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
|
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
|
||||||
|
|
||||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||||
%global uvwasi_version 0.0.13
|
%global uvwasi_version 0.0.14
|
||||||
|
|
||||||
# histogram_c - assumed from timestamps
|
# histogram_c - assumed from timestamps
|
||||||
%global histogram_version 0.11.2
|
%global histogram_version 0.11.2
|
||||||
@ -169,15 +175,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
|
|||||||
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
||||||
|
|
||||||
# Version: jq '.version' deps/undici/src/package.json
|
# Version: jq '.version' deps/undici/src/package.json
|
||||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.11.0.tar.gz
|
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
|
||||||
# Adjustments: rm -f undici-5.11.0/lib/llhttp/llhttp*.wasm
|
# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm
|
||||||
# wasi-sdk version can be found in Dockerfile
|
# wasi-sdk version can be found in Dockerfile
|
||||||
# https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile
|
# https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile
|
||||||
Source102: undici-5.11.0.tar.gz
|
Source102: undici-5.20.0.tar.gz
|
||||||
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz
|
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz
|
||||||
|
|
||||||
# Disable running gyp on bundled deps we don't use
|
# Disable running gyp on bundled deps we don't use
|
||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
|
Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
@ -276,6 +283,7 @@ Provides: bundled(icu) = %{icu_version}
|
|||||||
# or there's no option to built it as a shared dependency, so we bundle them
|
# or there's no option to built it as a shared dependency, so we bundle them
|
||||||
Provides: bundled(uvwasi) = %{uvwasi_version}
|
Provides: bundled(uvwasi) = %{uvwasi_version}
|
||||||
Provides: bundled(histogram) = %{histogram_version}
|
Provides: bundled(histogram) = %{histogram_version}
|
||||||
|
Provides: bundled(simduft) = %{simduft_version}
|
||||||
|
|
||||||
# Make sure we keep NPM up to date when we update Node.js
|
# Make sure we keep NPM up to date when we update Node.js
|
||||||
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
|
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
|
||||||
@ -578,6 +586,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
|||||||
%doc %{_mandir}/man5/package-json.5*
|
%doc %{_mandir}/man5/package-json.5*
|
||||||
%doc %{_mandir}/man5/package-lock-json.5*
|
%doc %{_mandir}/man5/package-lock-json.5*
|
||||||
%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
|
%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
|
||||||
|
%doc %{_mandir}/man5/npm-global.5.*
|
||||||
|
%doc %{_mandir}/man5/npm-json.5.*
|
||||||
%doc %{_mandir}/man7/config.7*
|
%doc %{_mandir}/man7/config.7*
|
||||||
%doc %{_mandir}/man7/dependency-selectors.7*
|
%doc %{_mandir}/man7/dependency-selectors.7*
|
||||||
%doc %{_mandir}/man7/developers.7*
|
%doc %{_mandir}/man7/developers.7*
|
||||||
@ -599,6 +609,16 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2
|
||||||
|
- Provide simduft
|
||||||
|
- Resolves: #2159389
|
||||||
|
|
||||||
|
* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-1
|
||||||
|
- Rebase to 18.14.2
|
||||||
|
- Resolves: #2159389
|
||||||
|
- Resolves: CVE-2022-25881, CVE-2022-4904, CVE-2023-23936, CVE-2023-24807
|
||||||
|
- Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920
|
||||||
|
|
||||||
* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.12.1-1
|
* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.12.1-1
|
||||||
- Rebase + CVEs
|
- Rebase + CVEs
|
||||||
- Resolves: #2142809
|
- Resolves: #2142809
|
||||||
|
Loading…
Reference in New Issue
Block a user