import nodejs-10.24.0-1.module+el8.3.0+10166+b07ac28e

2021-10-05 12:40:38 -04:00 · 2021-10-05 12:40:38 -04:00 · 32024bab6b
parent 1043993303
commit 32024bab6b
4 changed files with 12 additions and 109 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-64_2-src.tgz
-SOURCES/node-v10.23.1-stripped.tar.gz
+SOURCES/node-v10.24.0-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
-21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz
+be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz
--- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -1,99 +0,0 @@
-From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
-From: isaacs <i@izs.me>
-Date: Tue, 8 Dec 2020 14:21:50 -0800
-Subject: [PATCH] do not allow invalid hazardous string as section name
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/ini/ini.js        |  8 +++++
- deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 deps/npm/node_modules/ini/test/proto.js
-
-diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
-index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
-+++ b/deps/npm/node_modules/ini/ini.js
-@@ -80,6 +80,12 @@ function decode (str) {
-     if (!match) return
-     if (match[1] !== undefined) {
-       section = unsafe(match[1])
-+      if (section === '__proto__') {
-+        // not allowed
-+        // keep parsing the section, but don't attach it.
-+        p = {}
-+        return
-+      }
-       p = out[section] = out[section] || {}
-       return
-     }
-@@ -94,6 +100,7 @@ function decode (str) {
-     // Convert keys with '[]' suffix to an array
-     if (key.length > 2 && key.slice(-2) === '[]') {
-       key = key.substring(0, key.length - 2)
-+      if (key === '__proto__') return
-       if (!p[key]) {
-         p[key] = []
-       } else if (!Array.isArray(p[key])) {
-@@ -125,6 +132,7 @@ function decode (str) {
-     var l = parts.pop()
-     var nl = l.replace(/\\\./g, '.')
-     parts.forEach(function (part, _, __) {
-+      if (part === '__proto__') return
-       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
-       p = p[part]
-     })
-diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
-new file mode 100644
-index 0000000..ab35533
--- /dev/null
-+++ b/deps/npm/node_modules/ini/test/proto.js
-@@ -0,0 +1,45 @@
-+var ini = require('../')
-+var t = require('tap')
-+
-+var data = `
-+__proto__ = quux
-+foo = baz
-+[__proto__]
-+foo = bar
-+[other]
-+foo = asdf
-+[kid.__proto__.foo]
-+foo = kid
-+[arrproto]
-+hello = snyk
-+__proto__[] = you did a good job
-+__proto__[] = so you deserve arrays
-+thanks = true
-+`
-+var res = ini.parse(data)
-+t.deepEqual(res, {
-+  foo: 'baz',
-+  other: {
-+    foo: 'asdf',
-+  },
-+  kid: {
-+    foo: {
-+      foo: 'kid',
-+    },
-+  },
-+  arrproto: {
-+    hello: 'snyk',
-+    thanks: true,
-+  },
-+})
-+t.equal(res.__proto__, Object.prototype)
-+t.equal(res.kid.__proto__, Object.prototype)
-+t.equal(res.kid.foo.__proto__, Object.prototype)
-+t.equal(res.arrproto.__proto__, Object.prototype)
-+t.equal(Object.prototype.foo, undefined)
-+t.equal(Object.prototype[0], undefined)
-+t.equal(Object.prototype['0'], undefined)
-+t.equal(Object.prototype[1], undefined)
-+t.equal(Object.prototype['1'], undefined)
-+t.equal(Array.prototype[0], undefined)
-+t.equal(Array.prototype[1], undefined)
-- 
-2.29.2
-
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -24,8 +24,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 10
-%global nodejs_minor 23
-%global nodejs_patch 1
+%global nodejs_minor 24
+%global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 64
@ -94,7 +94,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 10
+%global npm_patch 11
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # In order to avoid needing to keep incrementing the release version for the
@ -149,9 +149,7 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
 # CVE-2020-7774
 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

-# CVE-2020-7788
-Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
-
+BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -369,7 +367,6 @@ export LDFLAGS="%{build_ldflags}"
           --shared-zlib \
           --without-dtrace \
           --with-intl=small-icu \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
@ -381,7 +378,6 @@ export LDFLAGS="%{build_ldflags}"
           --with-dtrace \
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %endif

@ -625,6 +621,12 @@ end


 %changelog
+* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
+- Resolves: RHBZ#1932373, RHBZ#1932426
+- Resolves CVE-2021-22883 and CVE-2021-22884
+- remove -debug-nghttp2 flag (1930775)
+- remove ini patch merged upstream
+
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
 - January Security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/