rpms/nodejs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

deps(cares): update to 1.19.1

Browse Source
This commit is contained in:
Jan Staněk 2023-05-30 13:49:14 +02:00
parent f1ac163030
commit 38537ff576
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D
4 changed files with 16784 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
0001-Disable-running-gyp-on-shared-deps.patch
View File

@ -1,5 +1,16 @@
From 030bbedf7d79025848122081e13fe94b0324ad88 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 May 2023 13:12:35 +0200
Subject: [PATCH] Disable running gyp on shared deps
Signed-off-by: rpm-build <rpm-build>
---
Makefile | 2 +-
node.gyp | 17 -----------------
2 files changed, 1 insertion(+), 18 deletions(-)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 9401346623..c9d3da24c5 100644 index 9401346..c9d3da2 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -169,7 +169,7 @@ with-code-cache test-code-cache: @@ -169,7 +169,7 @@ with-code-cache test-code-cache:
@ -12,7 +23,7 @@ index 9401346623..c9d3da24c5 100644
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
diff --git a/node.gyp b/node.gyp diff --git a/node.gyp b/node.gyp
index cec24aed03..13af00f40d 100644 index cec24ae..13af00f 100644
--- a/node.gyp --- a/node.gyp
+++ b/node.gyp +++ b/node.gyp
@@ -429,23 +429,6 @@ @@ -429,23 +429,6 @@
@ -39,3 +50,6 @@ index cec24aed03..13af00f40d 100644
}], }],
], ],
}, # node_core_target_name }, # node_core_target_name
--
2.40.1

16761
0002-deps-update-c-ares-to-1.19.1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

53
0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
View File

@ -1,53 +0,0 @@
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
Date: Wed, 18 Jan 2023 22:14:26 +0800
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
stack overflow (#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes #496
Fix By: @hopper-vul
Resolves: CVE-2022-4904
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
index de5d86c..d5858f6 100644
--- a/deps/cares/src/lib/ares_init.c
+++ b/deps/cares/src/lib/ares_init.c
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
--
2.39.2

10
nodejs.spec
View File

@ -29,7 +29,7 @@
# This is used by both the nodejs package and the npm subpackage that # This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec # has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end. # will bump this rather than adding .1 to the end.
%global baserelease 2 %global baserelease 3
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -65,7 +65,7 @@
# c-ares - from deps/cares/include/ares_version.h # c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.18.1 %global c_ares_version 1.19.1
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 6.0.10 %global llhttp_version 6.0.10
@ -184,7 +184,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch Patch2: 0002-deps-update-c-ares-to-1.19.1.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -609,6 +609,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%changelog %changelog
* Tue May 30 2023 Jan Staněk <jstanek@redhat.com> - 1:18.14.2-3
- Update bundled c-ares to 1.19.1
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
* Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2 * Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2
- Provide simduft - Provide simduft
- Resolves: #2159389 - Resolves: #2159389