import nodejs-14.21.3-1.module+el8.7.0+18531+81d21ca6

This commit is contained in:
CentOS Sources 2023-04-05 14:13:38 +00:00 committed by Stepan Oksanichenko
parent 59b7e4df64
commit 4dffd5e0d2
6 changed files with 115 additions and 106 deletions

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-70_1-src.tgz
SOURCES/node-v14.21.1-stripped.tar.gz
SOURCES/node-v14.21.3-stripped.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz

View File

@ -1,4 +1,4 @@
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
9929bfc056f9689ee30a088e923a81db640e39be SOURCES/node-v14.21.3-stripped.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz

View File

@ -0,0 +1,49 @@
From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@geekhood.net>
Date: Fri, 27 Jan 2023 01:20:38 +0000
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
whitespace
upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js
index bcdaebe..e427106 100644
--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js
+++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js
@@ -21,7 +21,7 @@ function parseCacheControl(header) {
// TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
// the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
+ var parts = header.trim().split(/,/);
for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) {
var _ref;
@@ -36,11 +36,11 @@ function parseCacheControl(header) {
var part = _ref;
- var _part$split = part.split(/\s*=\s*/, 2),
+ var _part$split = part.split(/=/, 2),
k = _part$split[0],
v = _part$split[1];
- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
+ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
}
return cc;
@@ -556,4 +556,4 @@ module.exports = function () {
};
return CachePolicy;
-}();
\ No newline at end of file
+}();
--
2.39.2

View File

@ -1,98 +0,0 @@
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Mon, 27 Dec 2021 19:15:57 -0800
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/qs/lib/parse.js | 2 +-
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
index 8c9872e..08e623a 100644
--- a/deps/npm/node_modules/qs/lib/parse.js
+++ b/deps/npm/node_modules/qs/lib/parse.js
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
) {
obj = [];
obj[index] = leaf;
- } else {
+ } else if (cleanRoot !== '__proto__') {
obj[cleanRoot] = leaf;
}
}
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
index 0f8fe45..3e93784 100644
--- a/deps/npm/node_modules/qs/test/parse.js
+++ b/deps/npm/node_modules/qs/test/parse.js
@@ -515,6 +515,66 @@ test('parse()', function (t) {
st.end();
});
+ t.test('dunder proto is ignored', function (st) {
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+ var result = qs.parse(payload, { allowPrototypes: true });
+
+ st.deepEqual(
+ result,
+ {
+ categories: {
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload'
+ );
+
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+ st.deepEqual(
+ plainResult,
+ {
+ __proto__: null,
+ categories: {
+ __proto__: null,
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload: plain objects'
+ );
+
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+ st.notOk(Array.isArray(query.categories), 'is not an array');
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+ {
+ foo: {
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values'
+ );
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+ {
+ __proto__: null,
+ foo: {
+ __proto__: null,
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values: plain objects'
+ );
+
+ st.end();
+ });
+
t.test('can return null objects', { skip: !Object.create }, function (st) {
var expected = Object.create(null);
expected.a = Object.create(null);
--
2.38.1

View File

@ -0,0 +1,52 @@
From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
Date: Wed, 18 Jan 2023 22:14:26 +0800
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
stack overflow (#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes #496
Fix By: @hopper-vul
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
index de5d86c..d5858f6 100644
--- a/deps/cares/src/lib/ares_init.c
+++ b/deps/cares/src/lib/ares_init.c
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
--
2.39.2

View File

@ -30,7 +30,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 2
%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -42,7 +42,7 @@
%global nodejs_epoch 1
%global nodejs_major 14
%global nodejs_minor 21
%global nodejs_patch 1
%global nodejs_patch 3
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release %{baserelease}
@ -121,7 +121,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 17
%global npm_patch 18
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# Dependency vulnerabilities
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
BuildRequires: make
BuildRequires: python3-devel
@ -679,7 +680,6 @@ end
%doc %{_mandir}/man5/shrinkwrap-json.5*
%doc %{_mandir}/man7/config.7*
%doc %{_mandir}/man7/developers.7*
%doc %{_mandir}/man7/disputes.7*
%doc %{_mandir}/man7/orgs.7*
%doc %{_mandir}/man7/registry.7*
%doc %{_mandir}/man7/removal.7*
@ -696,6 +696,12 @@ end
%changelog
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 1:14.21.3-1
- Rebase to 14.21.3
Resolves: rhbz#2153712
Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900
Resolves: CVE-2022-4904
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
- Apply upstream fix for CVE-2022-24999
Resolves: CVE-2022-24999
@ -704,7 +710,7 @@ end
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
- Rebase to version 14.21.1
Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
Resolves: rhbz#2129805 CVE-2022-43548
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
- Record issues fixed in the current version