import OL nodejs-16.19.1-2.el9_2
This commit is contained in:
parent
6ff3d842a8
commit
49323db365
@ -1,19 +1,18 @@
|
||||
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
|
||||
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
||||
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
||||
Subject: [PATCH 1/2] Disable running gyp on shared deps
|
||||
From 8a45f34d9d74d59879973210cf06f4383b9832b8 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Tue, 30 May 2023 13:12:35 +0200
|
||||
Subject: [PATCH] Disable running gyp on shared deps
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
|
||||
index 6d6f2e4..88e1a11 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -136,11 +136,11 @@ endif
|
||||
.PHONY: test-code-cache
|
||||
with-code-cache test-code-cache:
|
||||
@@ -148,7 +148,7 @@ with-code-cache test-code-cache:
|
||||
$(warning '$@' target is a noop)
|
||||
|
||||
out/Makefile: config.gypi common.gypi node.gyp \
|
||||
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
|
||||
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||
$(PYTHON) tools/gyp_node.py -f make
|
||||
|
||||
# node_version.h is listed because the N-API version is taken from there
|
||||
--
|
||||
2.29.2
|
||||
2.40.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001
|
||||
From abe534dda44a10e1b80a206c996f2e0e42298f7f Mon Sep 17 00:00:00 2001
|
||||
From: Kornel <kornel@geekhood.net>
|
||||
Date: Fri, 27 Jan 2023 01:20:38 +0000
|
||||
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
|
||||
@ -41,5 +41,5 @@ index 897798d..79c020a 100644
|
||||
"repository": "https://github.com/kornelski/http-cache-semantics.git",
|
||||
"main": "index.js",
|
||||
--
|
||||
2.39.2
|
||||
2.40.1
|
||||
|
||||
|
@ -1,53 +0,0 @@
|
||||
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
|
||||
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||
stack overflow (#497)
|
||||
|
||||
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||
the input str and initialize a sortlist configuration.
|
||||
|
||||
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||
statements in the config_sortlist call, which could potentially cause severe
|
||||
security impact in practical programs.
|
||||
|
||||
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||
potential stack overflows.
|
||||
|
||||
fixes #496
|
||||
|
||||
Fix By: @hopper-vul
|
||||
Resolves: CVE-2022-4904
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||
index de5d86c..d5858f6 100644
|
||||
--- a/deps/cares/src/lib/ares_init.c
|
||||
+++ b/deps/cares/src/lib/ares_init.c
|
||||
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
q = str;
|
||||
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 16)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbuf, str, q-str);
|
||||
ipbuf[q-str] = '\0';
|
||||
/* Find the prefix */
|
||||
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
const char *str2 = q+1;
|
||||
while (*q && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 32)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbufpfx, str, q-str);
|
||||
ipbufpfx[q-str] = '\0';
|
||||
str = str2;
|
||||
--
|
||||
2.39.2
|
||||
|
16761
SOURCES/0003-deps-update-c-ares-to-1.19.1.patch
Normal file
16761
SOURCES/0003-deps-update-c-ares-to-1.19.1.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -30,7 +30,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage that
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -66,7 +66,7 @@
|
||||
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_version 1.18.1
|
||||
%global c_ares_version 1.19.1
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_version 6.0.10
|
||||
@ -181,8 +181,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
# CVE-2022-25881
|
||||
Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
|
||||
# CVE-2022-4904
|
||||
Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
|
||||
Patch3: 0003-deps-update-c-ares-to-1.19.1.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
@ -724,6 +723,10 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
|
||||
- Update bundled c-ares to 1.19.1
|
||||
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
|
||||
|
||||
* Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.19.1-1
|
||||
- Rebase to 16.19.1
|
||||
- Resolves: rhbz#2153714
|
||||
|
Loading…
Reference in New Issue
Block a user