From 36baa4db0d3900700a8a426340d30154c4c6312a Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 28 Mar 2024 13:59:00 +0000 Subject: [PATCH] import CS nodejs-20.11.1-1.module_el8+985+db5db696 --- .gitignore | 6 +- .nodejs.metadata | 8 +- SOURCES/nodejs-fips-disable-options.patch | 83 ++++++++++++++++++++ SOURCES/nodejs-tarball.sh | 96 ++++++++++++++++------- SPECS/nodejs.spec | 55 +++++++++---- 5 files changed, 197 insertions(+), 51 deletions(-) create mode 100644 SOURCES/nodejs-fips-disable-options.patch diff --git a/.gitignore b/.gitignore index ddedfca..457f69d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-73_2-src.tgz -SOURCES/node-v20.5.1-stripped.tar.gz -SOURCES/undici-5.22.1.tar.gz +SOURCES/node-v20.11.1-stripped.tar.gz +SOURCES/undici-5.28.3.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz -SOURCES/wasi-sdk-wasi-sdk-14.tar.gz +SOURCES/wasi-sdk-wasi-sdk-16.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 58af5ff..5ce97c8 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ -d879d8062a018d91b007ef6b36f7dd026654b982 SOURCES/cjs-module-lexer-1.2.2.tar.gz +36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz -1ecddb27a2e04a7829870f11ffcb6dbd3e859f43 SOURCES/node-v20.5.1-stripped.tar.gz -616384b209d651b7cb7b41a8a7752eb2e923806a SOURCES/undici-5.22.1.tar.gz +59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz +b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz -900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz +fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch new file mode 100644 index 0000000..da9808f --- /dev/null +++ b/SOURCES/nodejs-fips-disable-options.patch @@ -0,0 +1,83 @@ +From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 + +Signed-off-by: rpm-build +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/crypto.js b/lib/crypto.js +index 41adecc..b2627ac 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,6 +36,9 @@ const { + assertCrypto(); + + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + ERR_WORKER_UNSUPPORTED_OPERATION, + } = require('internal/errors').codes; +@@ -251,6 +254,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index a722360..04d8a53 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1060,6 +1060,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + 'Access to this API has been restricted. Permission: %s', + Error); +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -121,6 +121,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) +-- +2.43.2 diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index f59d5c2..66f5ca2 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz set +e # Determine the bundled versions of the various packages +echo "Included software versions" +echo "-------------------------" +echo +echo "Node.js version" +echo "=========================" +echo "${version}" +echo echo "Bundled software versions" echo "-------------------------" echo -echo "libnode shared object version" +echo "libnode shared object version (nodejs_soversion)" echo "=========================" -grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h +NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h) +echo "${NODE_SOVERSION}" echo echo "V8" echo "=========================" -grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h +V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h) +echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}" echo echo "c-ares" echo "=========================" -grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h +C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//') +echo $C_ARES_VERSION echo echo "llhttp" echo "=========================" -grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h +LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}" +echo $LLHTTP_VERSION echo echo "libuv" echo "=========================" -grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h +UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h) +LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}" +echo $LIBUV_VERSION echo echo "nghttp2" echo "=========================" -grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP2_VERSION echo echo "nghttp3" echo "=========================" -grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h +NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP3_VERSION echo echo "ngtcp2" echo "=========================" -grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h +NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGTCP2_VERSION echo echo "ICU" echo "=========================" -grep "url" node-v${version}/tools/icu/current_ver.dep +ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g') +ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g') +echo "${ICU_MAJOR}.${ICU_MINOR}" +echo +echo "simdutf" +echo "=========================" +SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//') +echo $SIMDUTF_VERSION +echo +echo "ada" +echo "=========================" +ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//') +ADA_VERSION=${ADA_VERSION:-0} +echo "${ADA_VERSION}" echo echo "punycode" echo "=========================" -grep "'version'" node-v${version}/lib/punycode.js -echo -echo "uvwasi" -echo "=========================" -grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h +PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js) +echo $PUNYCODE_VERSION echo echo "npm" echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json +NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json) +echo $NPM_VERSION +echo +echo "corepack" +echo "=========================" +COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json) +echo $COREPACK_VERSION +echo +echo "uvwasi" +echo "=========================" +UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}" +echo $UVWASI_VERSION +echo +echo "histogram_c" +echo "=========================" +HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//') +echo $HISTOGRAM_VERSION echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index c908d65..e17e4de 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -44,7 +44,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 20 -%global nodejs_minor 5 +%global nodejs_minor 11 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -69,7 +69,7 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_version 1.19.1 +%global c_ares_version 1.20.1 # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_version 8.1.1 @@ -78,7 +78,7 @@ %global libuv_version 1.46.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.55.1 +%global nghttp2_version 1.58.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_version 0.7.0 @@ -106,10 +106,10 @@ %endif # simduft from deps/simdutf/simdutf.h -%global simduft_version 3.2.14 +%global simduft_version 4.0.4 # ada from deps/ada/ada.h -%global ada_version 2.5.1 +%global ada_version 2.7.4 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -122,7 +122,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 9.8.0 +%global npm_version 10.2.4 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -132,10 +132,10 @@ # Node.js 16.9.1 and later comes with an experimental package management tool # corepack - from deps/corepack/package.json -%global corepack_version 0.19.0 +%global corepack_version 0.23.0 # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.18 +%global uvwasi_version 0.0.19 # histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h %global histogram_version 0.11.8 @@ -177,19 +177,21 @@ Source8: npmrc.builtin.in # Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm Source101: cjs-module-lexer-1.2.2.tar.gz # The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. -# Version source: Makefile +# Version source (cjs-module-lexer tarball): Makefile Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz -# Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm* -Source111: undici-5.22.1.tar.gz -# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. -# Version source: build/Dockerfile -Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz +# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm* +Source111: undici-5.28.3.tar.gz +# The WASM blob was made using wasi-sdk v16; compiler libraries are linked in. +# Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt +# Also check (undici tarball): lib/llhttp/wasm_build_env.txt +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-wasi-sdk-16.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch3: nodejs-fips-disable-options.patch BuildRequires: make BuildRequires: python3-devel @@ -432,7 +434,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl export LDFLAGS="%{build_ldflags}" %{__python3} configure.py --prefix=%{_prefix} --verbose \ - --shared-openssl \ + --shared-openssl --openssl-conf-name=openssl_conf \ --shared-zlib \ --shared-brotli \ %{!?with_bundled:--shared-libuv} \ @@ -452,7 +454,7 @@ make BUILDTYPE=Release %{?_smp_mflags} # Extract the ICU data and convert it to the appropriate endianness pushd deps/ -tar xfz %SOURCE3 +tar xfz %{SOURCE3} pushd icu/source @@ -720,6 +722,25 @@ end %changelog +* Wed Feb 21 2024 Lukas Javorsky - 1:20.11.1-1 +- Rebase to version 20.11.1 +- Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 (high) +- Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 (medium) + +* Fri Jan 19 2024 Lukas Javorsky - 1:20.11.0-1 +- Rebase to version 20.11.0 +- Resolves: RHEL-21434 + +* Thu Nov 09 2023 Zuzana Svetlikova - 1:20.9.0-1 +- Rebase to LTS +- Resolves: RHEL-16159 + +* Wed Oct 18 2023 Zuzana Svetlikova - 1:20.8.1-1 +- Update node and nghttp +- Add fips patch +- Fixes CVE-2023-44487 (nghttp) +- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333 + * Thu Aug 10 2023 Zuzana Svetlikova - 1:20.5.1-1 - Rebase to new security release - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)