Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,

CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810 Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
2021-08-18 16:26:58 +02:00 · 2021-08-18 16:26:58 +02:00 · 2909bab199
commit 2909bab199
parent 5309b84257
4 changed files with 18 additions and 112 deletions
--- a/.gitignore
+++ b/.gitignore
@ -17,3 +17,5 @@
 /node-v16.1.0-stripped.tar.gz
 /icu4c-69_1-src.tgz
 /node-v16.4.2-stripped.tar.gz
+/node-v16.6.2-stripped.tar.gz
+/node-v16.7.0-stripped.tar.gz
--- a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -1,99 +0,0 @@
-From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
-From: isaacs <i@izs.me>
-Date: Tue, 8 Dec 2020 14:21:50 -0800
-Subject: [PATCH] do not allow invalid hazardous string as section name
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/ini/ini.js        |  8 +++++
- deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 deps/npm/node_modules/ini/test/proto.js
-
-diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
-index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
-+++ b/deps/npm/node_modules/ini/ini.js
-@@ -80,6 +80,12 @@ function decode (str) {
-     if (!match) return
-     if (match[1] !== undefined) {
-       section = unsafe(match[1])
-+      if (section === '__proto__') {
-+        // not allowed
-+        // keep parsing the section, but don't attach it.
-+        p = {}
-+        return
-+      }
-       p = out[section] = out[section] || {}
-       return
-     }
-@@ -94,6 +100,7 @@ function decode (str) {
-     // Convert keys with '[]' suffix to an array
-     if (key.length > 2 && key.slice(-2) === '[]') {
-       key = key.substring(0, key.length - 2)
-+      if (key === '__proto__') return
-       if (!p[key]) {
-         p[key] = []
-       } else if (!Array.isArray(p[key])) {
-@@ -125,6 +132,7 @@ function decode (str) {
-     var l = parts.pop()
-     var nl = l.replace(/\\\./g, '.')
-     parts.forEach(function (part, _, __) {
-+      if (part === '__proto__') return
-       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
-       p = p[part]
-     })
-diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
-new file mode 100644
-index 0000000..ab35533
--- /dev/null
-+++ b/deps/npm/node_modules/ini/test/proto.js
-@@ -0,0 +1,45 @@
-+var ini = require('../')
-+var t = require('tap')
-+
-+var data = `
-+__proto__ = quux
-+foo = baz
-+[__proto__]
-+foo = bar
-+[other]
-+foo = asdf
-+[kid.__proto__.foo]
-+foo = kid
-+[arrproto]
-+hello = snyk
-+__proto__[] = you did a good job
-+__proto__[] = so you deserve arrays
-+thanks = true
-+`
-+var res = ini.parse(data)
-+t.deepEqual(res, {
-+  foo: 'baz',
-+  other: {
-+    foo: 'asdf',
-+  },
-+  kid: {
-+    foo: {
-+      foo: 'kid',
-+    },
-+  },
-+  arrproto: {
-+    hello: 'snyk',
-+    thanks: true,
-+  },
-+})
-+t.equal(res.__proto__, Object.prototype)
-+t.equal(res.kid.__proto__, Object.prototype)
-+t.equal(res.kid.foo.__proto__, Object.prototype)
-+t.equal(res.arrproto.__proto__, Object.prototype)
-+t.equal(Object.prototype.foo, undefined)
-+t.equal(Object.prototype[0], undefined)
-+t.equal(Object.prototype['0'], undefined)
-+t.equal(Object.prototype[1], undefined)
-+t.equal(Object.prototype['1'], undefined)
-+t.equal(Array.prototype[0], undefined)
-+t.equal(Array.prototype[1], undefined)
--
-2.29.2
-
--- a/nodejs.spec
+++ b/nodejs.spec
@ -25,8 +25,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 4
-%global nodejs_patch 2
+%global nodejs_minor 7
+%global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 93
@ -40,9 +40,9 @@
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 2
 %global v8_major 9
-%global v8_minor 1
-%global v8_build 269
-%global v8_patch 36
+%global v8_minor 2
+%global v8_build 230
+%global v8_patch 21
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -52,7 +52,7 @@
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 17
-%global c_ares_patch 1
+%global c_ares_patch 2
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}

 # llhttp - from deps/llhttp/include/llhttp.h
@ -63,7 +63,7 @@

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 41
+%global libuv_minor 42
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}

@ -118,8 +118,8 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
 %global npm_major 7
-%global npm_minor 18
-%global npm_patch 1
+%global npm_minor 20
+%global npm_patch 3
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -169,9 +169,6 @@ Source7: nodejs_native.attr
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch

-# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64 
-# Patch3: 0003-yarn-not-installable-on-aarch64.patch
-
 BuildRequires: make
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -682,6 +679,12 @@ end


 %changelog
+* Wed Aug 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.7.0-1
+- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
+- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
+- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
+- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
+
 * Fri Jul 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.4.2-1
 - Resolves: RHBZ#1979847
 - Resolves CVE-2021-22918(libuv)
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (node-v16.4.2-stripped.tar.gz) = 6625bdecdf8b3f268d4cb941fec5861bf8c4068589abce28d5cb9df2007fb2355fb090c814e77b5451d1ebab4a43acd07461bfd1d8b85f82af45e0cb11a4a6ab
+SHA512 (node-v16.7.0-stripped.tar.gz) = 423e4b971614eff10852ccfca8bc9f3638aaa0b689aeb226e3ee5f4dd1616c5cf1959b6c2370d9ccb1fb9e4c40f300f14ee8e2fcfcc6f5a1d1c2a41f1f10790c
 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7