Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810 Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
This commit is contained in:
Zuzana Svetlikova
parent
5309b84257
commit
2909bab199
|
|
@ -17,3 +17,5 @@
|
|||
/node-v16.1.0-stripped.tar.gz
|
||||
/icu4c-69_1-src.tgz
|
||||
/node-v16.4.2-stripped.tar.gz
|
||||
/node-v16.6.2-stripped.tar.gz
|
||||
/node-v16.7.0-stripped.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,99 +0,0 @@
|
|||
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
|
||||
From: isaacs <i@izs.me>
|
||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
||||
2 files changed, 53 insertions(+)
|
||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
||||
|
||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
||||
index 590195d..0401258 100644
|
||||
--- a/deps/npm/node_modules/ini/ini.js
|
||||
+++ b/deps/npm/node_modules/ini/ini.js
|
||||
@@ -80,6 +80,12 @@ function decode (str) {
|
||||
if (!match) return
|
||||
if (match[1] !== undefined) {
|
||||
section = unsafe(match[1])
|
||||
+ if (section === '__proto__') {
|
||||
+ // not allowed
|
||||
+ // keep parsing the section, but don't attach it.
|
||||
+ p = {}
|
||||
+ return
|
||||
+ }
|
||||
p = out[section] = out[section] || {}
|
||||
return
|
||||
}
|
||||
@@ -94,6 +100,7 @@ function decode (str) {
|
||||
// Convert keys with '[]' suffix to an array
|
||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
||||
key = key.substring(0, key.length - 2)
|
||||
+ if (key === '__proto__') return
|
||||
if (!p[key]) {
|
||||
p[key] = []
|
||||
} else if (!Array.isArray(p[key])) {
|
||||
@@ -125,6 +132,7 @@ function decode (str) {
|
||||
var l = parts.pop()
|
||||
var nl = l.replace(/\\\./g, '.')
|
||||
parts.forEach(function (part, _, __) {
|
||||
+ if (part === '__proto__') return
|
||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
||||
p = p[part]
|
||||
})
|
||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
||||
new file mode 100644
|
||||
index 0000000..ab35533
|
||||
--- /dev/null
|
||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
||||
@@ -0,0 +1,45 @@
|
||||
+var ini = require('../')
|
||||
+var t = require('tap')
|
||||
+
|
||||
+var data = `
|
||||
+__proto__ = quux
|
||||
+foo = baz
|
||||
+[__proto__]
|
||||
+foo = bar
|
||||
+[other]
|
||||
+foo = asdf
|
||||
+[kid.__proto__.foo]
|
||||
+foo = kid
|
||||
+[arrproto]
|
||||
+hello = snyk
|
||||
+__proto__[] = you did a good job
|
||||
+__proto__[] = so you deserve arrays
|
||||
+thanks = true
|
||||
+`
|
||||
+var res = ini.parse(data)
|
||||
+t.deepEqual(res, {
|
||||
+ foo: 'baz',
|
||||
+ other: {
|
||||
+ foo: 'asdf',
|
||||
+ },
|
||||
+ kid: {
|
||||
+ foo: {
|
||||
+ foo: 'kid',
|
||||
+ },
|
||||
+ },
|
||||
+ arrproto: {
|
||||
+ hello: 'snyk',
|
||||
+ thanks: true,
|
||||
+ },
|
||||
+})
|
||||
+t.equal(res.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
||||
+t.equal(Object.prototype.foo, undefined)
|
||||
+t.equal(Object.prototype[0], undefined)
|
||||
+t.equal(Object.prototype['0'], undefined)
|
||||
+t.equal(Object.prototype[1], undefined)
|
||||
+t.equal(Object.prototype['1'], undefined)
|
||||
+t.equal(Array.prototype[0], undefined)
|
||||
+t.equal(Array.prototype[1], undefined)
|
||||
--
|
||||
2.29.2
|
||||
|
||||
27
nodejs.spec
27
nodejs.spec
|
|
@ -25,8 +25,8 @@
|
|||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 16
|
||||
%global nodejs_minor 4
|
||||
%global nodejs_patch 2
|
||||
%global nodejs_minor 7
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 93
|
||||
|
|
@ -40,9 +40,9 @@
|
|||
# Epoch is set to ensure clean upgrades from the old v8 package
|
||||
%global v8_epoch 2
|
||||
%global v8_major 9
|
||||
%global v8_minor 1
|
||||
%global v8_build 269
|
||||
%global v8_patch 36
|
||||
%global v8_minor 2
|
||||
%global v8_build 230
|
||||
%global v8_patch 21
|
||||
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
||||
%global v8_abi %{v8_major}.%{v8_minor}
|
||||
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
||||
|
|
@ -52,7 +52,7 @@
|
|||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_major 1
|
||||
%global c_ares_minor 17
|
||||
%global c_ares_patch 1
|
||||
%global c_ares_patch 2
|
||||
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
|
|
@ -63,7 +63,7 @@
|
|||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_major 1
|
||||
%global libuv_minor 41
|
||||
%global libuv_minor 42
|
||||
%global libuv_patch 0
|
||||
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
|
||||
|
||||
|
|
@ -118,8 +118,8 @@
|
|||
# npm - from deps/npm/package.json
|
||||
%global npm_epoch 1
|
||||
%global npm_major 7
|
||||
%global npm_minor 18
|
||||
%global npm_patch 1
|
||||
%global npm_minor 20
|
||||
%global npm_patch 3
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||
|
|
@ -169,9 +169,6 @@ Source7: nodejs_native.attr
|
|||
# Disable running gyp on bundled deps we don't use
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
|
||||
# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64
|
||||
# Patch3: 0003-yarn-not-installable-on-aarch64.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
|
@ -682,6 +679,12 @@ end
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Aug 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.7.0-1
|
||||
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
|
||||
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
|
||||
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
|
||||
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
|
||||
|
||||
* Fri Jul 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.4.2-1
|
||||
- Resolves: RHBZ#1979847
|
||||
- Resolves CVE-2021-22918(libuv)
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1,2 +1,2 @@
|
|||
SHA512 (node-v16.4.2-stripped.tar.gz) = 6625bdecdf8b3f268d4cb941fec5861bf8c4068589abce28d5cb9df2007fb2355fb090c814e77b5451d1ebab4a43acd07461bfd1d8b85f82af45e0cb11a4a6ab
|
||||
SHA512 (node-v16.7.0-stripped.tar.gz) = 423e4b971614eff10852ccfca8bc9f3638aaa0b689aeb226e3ee5f4dd1616c5cf1959b6c2370d9ccb1fb9e4c40f300f14ee8e2fcfcc6f5a1d1c2a41f1f10790c
|
||||
SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7
|
||||
|
|
|
|||
Loading…
Reference in New Issue