deps(cares): update to 1.19.1
This commit is contained in:
Jan Staněk
parent
f1ac163030
commit
38537ff576
@ -1,5 +1,16 @@
|
||||
From 030bbedf7d79025848122081e13fe94b0324ad88 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 30 May 2023 13:12:35 +0200
|
||||
Subject: [PATCH] Disable running gyp on shared deps
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
Makefile | 2 +-
|
||||
node.gyp | 17 -----------------
|
||||
2 files changed, 1 insertion(+), 18 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 9401346623..c9d3da24c5 100644
|
||||
index 9401346..c9d3da2 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
|
||||
@ -12,7 +23,7 @@ index 9401346623..c9d3da24c5 100644
|
||||
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||
diff --git a/node.gyp b/node.gyp
|
||||
index cec24aed03..13af00f40d 100644
|
||||
index cec24ae..13af00f 100644
|
||||
--- a/node.gyp
|
||||
+++ b/node.gyp
|
||||
@@ -429,23 +429,6 @@
|
||||
@ -39,3 +50,6 @@ index cec24aed03..13af00f40d 100644
|
||||
}],
|
||||
],
|
||||
}, # node_core_target_name
|
||||
--
|
||||
2.40.1
|
||||
|
||||
|
||||
16761
0002-deps-update-c-ares-to-1.19.1.patch
Normal file
16761
0002-deps-update-c-ares-to-1.19.1.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,53 +0,0 @@
|
||||
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
|
||||
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||
stack overflow (#497)
|
||||
|
||||
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||
the input str and initialize a sortlist configuration.
|
||||
|
||||
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||
statements in the config_sortlist call, which could potentially cause severe
|
||||
security impact in practical programs.
|
||||
|
||||
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||
potential stack overflows.
|
||||
|
||||
fixes #496
|
||||
|
||||
Fix By: @hopper-vul
|
||||
Resolves: CVE-2022-4904
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||
index de5d86c..d5858f6 100644
|
||||
--- a/deps/cares/src/lib/ares_init.c
|
||||
+++ b/deps/cares/src/lib/ares_init.c
|
||||
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
q = str;
|
||||
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 16)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbuf, str, q-str);
|
||||
ipbuf[q-str] = '\0';
|
||||
/* Find the prefix */
|
||||
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
const char *str2 = q+1;
|
||||
while (*q && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 32)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbufpfx, str, q-str);
|
||||
ipbufpfx[q-str] = '\0';
|
||||
str = str2;
|
||||
--
|
||||
2.39.2
|
||||
|
||||
10
nodejs.spec
10
nodejs.spec
@ -29,7 +29,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage that
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 2
|
||||
%global baserelease 3
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -65,7 +65,7 @@
|
||||
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_version 1.18.1
|
||||
%global c_ares_version 1.19.1
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_version 6.0.10
|
||||
@ -184,7 +184,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
|
||||
|
||||
# Disable running gyp on bundled deps we don't use
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
|
||||
Patch2: 0002-deps-update-c-ares-to-1.19.1.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
@ -609,6 +609,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue May 30 2023 Jan Staněk <jstanek@redhat.com> - 1:18.14.2-3
|
||||
- Update bundled c-ares to 1.19.1
|
||||
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
|
||||
|
||||
* Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2
|
||||
- Provide simduft
|
||||
- Resolves: #2159389
|
||||
|
||||
Loading…
Reference in New Issue
Block a user