Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,

CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672

Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
This commit is contained in:
Zuzana Svetlikova 2021-08-18 16:26:58 +02:00
parent 5309b84257
commit 2909bab199
4 changed files with 18 additions and 112 deletions

2
.gitignore vendored
View File

@ -17,3 +17,5 @@
/node-v16.1.0-stripped.tar.gz /node-v16.1.0-stripped.tar.gz
/icu4c-69_1-src.tgz /icu4c-69_1-src.tgz
/node-v16.4.2-stripped.tar.gz /node-v16.4.2-stripped.tar.gz
/node-v16.6.2-stripped.tar.gz
/node-v16.7.0-stripped.tar.gz

View File

@ -1,99 +0,0 @@
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 8 Dec 2020 14:21:50 -0800
Subject: [PATCH] do not allow invalid hazardous string as section name
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/ini/ini.js | 8 +++++
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 deps/npm/node_modules/ini/test/proto.js
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
+ if (section === '__proto__') {
+ // not allowed
+ // keep parsing the section, but don't attach it.
+ p = {}
+ return
+ }
p = out[section] = out[section] || {}
return
}
@@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
+ if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
+ if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
new file mode 100644
index 0000000..ab35533
--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+ foo: 'baz',
+ other: {
+ foo: 'asdf',
+ },
+ kid: {
+ foo: {
+ foo: 'kid',
+ },
+ },
+ arrproto: {
+ hello: 'snyk',
+ thanks: true,
+ },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
--
2.29.2

View File

@ -25,8 +25,8 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 16 %global nodejs_major 16
%global nodejs_minor 4 %global nodejs_minor 7
%global nodejs_patch 2 %global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 93 %global nodejs_soversion 93
@ -40,9 +40,9 @@
# Epoch is set to ensure clean upgrades from the old v8 package # Epoch is set to ensure clean upgrades from the old v8 package
%global v8_epoch 2 %global v8_epoch 2
%global v8_major 9 %global v8_major 9
%global v8_minor 1 %global v8_minor 2
%global v8_build 269 %global v8_build 230
%global v8_patch 36 %global v8_patch 21
# V8 presently breaks ABI at least every x.y release while never bumping SONAME # V8 presently breaks ABI at least every x.y release while never bumping SONAME
%global v8_abi %{v8_major}.%{v8_minor} %global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -52,7 +52,7 @@
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_major 1 %global c_ares_major 1
%global c_ares_minor 17 %global c_ares_minor 17
%global c_ares_patch 1 %global c_ares_patch 2
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
@ -63,7 +63,7 @@
# libuv - from deps/uv/include/uv/version.h # libuv - from deps/uv/include/uv/version.h
%global libuv_major 1 %global libuv_major 1
%global libuv_minor 41 %global libuv_minor 42
%global libuv_patch 0 %global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@ -118,8 +118,8 @@
# npm - from deps/npm/package.json # npm - from deps/npm/package.json
%global npm_epoch 1 %global npm_epoch 1
%global npm_major 7 %global npm_major 7
%global npm_minor 18 %global npm_minor 20
%global npm_patch 1 %global npm_patch 3
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -169,9 +169,6 @@ Source7: nodejs_native.attr
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64
# Patch3: 0003-yarn-not-installable-on-aarch64.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -682,6 +679,12 @@ end
%changelog %changelog
* Wed Aug 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.7.0-1
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
* Fri Jul 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.4.2-1 * Fri Jul 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.4.2-1
- Resolves: RHBZ#1979847 - Resolves: RHBZ#1979847
- Resolves CVE-2021-22918(libuv) - Resolves CVE-2021-22918(libuv)

View File

@ -1,2 +1,2 @@
SHA512 (node-v16.4.2-stripped.tar.gz) = 6625bdecdf8b3f268d4cb941fec5861bf8c4068589abce28d5cb9df2007fb2355fb090c814e77b5451d1ebab4a43acd07461bfd1d8b85f82af45e0cb11a4a6ab SHA512 (node-v16.7.0-stripped.tar.gz) = 423e4b971614eff10852ccfca8bc9f3638aaa0b689aeb226e3ee5f4dd1616c5cf1959b6c2370d9ccb1fb9e4c40f300f14ee8e2fcfcc6f5a1d1c2a41f1f10790c
SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7