From 4dffd5e0d2307140d32e5f855da194c08ea8079d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 5 Apr 2023 14:13:38 +0000 Subject: [PATCH] import nodejs-14.21.3-1.module+el8.7.0+18531+81d21ca6 --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...semantics-Don-t-use-regex-to-trim-wh.patch | 49 ++++++++++ ...ignore-__proto__-keys-CVE-2022-24999.patch | 98 ------------------- ...tr-len-check-in-config_sortlist-to-a.patch | 52 ++++++++++ SPECS/nodejs.spec | 18 ++-- 6 files changed, 115 insertions(+), 106 deletions(-) create mode 100644 SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch delete mode 100644 SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch create mode 100644 SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch diff --git a/.gitignore b/.gitignore index c9ee73e..63419b7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v14.21.1-stripped.tar.gz +SOURCES/node-v14.21.3-stripped.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index d20d8cd..99cafef 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,4 +1,4 @@ 6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz +9929bfc056f9689ee30a088e923a81db640e39be SOURCES/node-v14.21.3-stripped.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch new file mode 100644 index 0000000..9fa4284 --- /dev/null +++ b/SOURCES/0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch @@ -0,0 +1,49 @@ +From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001 +From: Kornel +Date: Fri, 27 Jan 2023 01:20:38 +0000 +Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim + whitespace + +upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74 +Signed-off-by: rpm-build +--- + deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js +index bcdaebe..e427106 100644 +--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js ++++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js +@@ -21,7 +21,7 @@ function parseCacheControl(header) { + + // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), + // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale +- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing ++ var parts = header.trim().split(/,/); + for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) { + var _ref; + +@@ -36,11 +36,11 @@ function parseCacheControl(header) { + + var part = _ref; + +- var _part$split = part.split(/\s*=\s*/, 2), ++ var _part$split = part.split(/=/, 2), + k = _part$split[0], + v = _part$split[1]; + +- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting ++ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, ''); + } + + return cc; +@@ -556,4 +556,4 @@ module.exports = function () { + }; + + return CachePolicy; +-}(); +\ No newline at end of file ++}(); +-- +2.39.2 + diff --git a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch deleted file mode 100644 index 81064b3..0000000 --- a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001 -From: Jordan Harband -Date: Mon, 27 Dec 2021 19:15:57 -0800 -Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999) - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/qs/lib/parse.js | 2 +- - deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++ - 2 files changed, 61 insertions(+), 1 deletion(-) - -diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js -index 8c9872e..08e623a 100644 ---- a/deps/npm/node_modules/qs/lib/parse.js -+++ b/deps/npm/node_modules/qs/lib/parse.js -@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) { - ) { - obj = []; - obj[index] = leaf; -- } else { -+ } else if (cleanRoot !== '__proto__') { - obj[cleanRoot] = leaf; - } - } -diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js -index 0f8fe45..3e93784 100644 ---- a/deps/npm/node_modules/qs/test/parse.js -+++ b/deps/npm/node_modules/qs/test/parse.js -@@ -515,6 +515,66 @@ test('parse()', function (t) { - st.end(); - }); - -+ t.test('dunder proto is ignored', function (st) { -+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; -+ var result = qs.parse(payload, { allowPrototypes: true }); -+ -+ st.deepEqual( -+ result, -+ { -+ categories: { -+ length: '42' -+ } -+ }, -+ 'silent [[Prototype]] payload' -+ ); -+ -+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); -+ -+ st.deepEqual( -+ plainResult, -+ { -+ __proto__: null, -+ categories: { -+ __proto__: null, -+ length: '42' -+ } -+ }, -+ 'silent [[Prototype]] payload: plain objects' -+ ); -+ -+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); -+ -+ st.notOk(Array.isArray(query.categories), 'is not an array'); -+ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); -+ st.deepEqual(query.categories, { some: { json: 'toInject' } }); -+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); -+ -+ st.deepEqual( -+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), -+ { -+ foo: { -+ bar: 'stuffs' -+ } -+ }, -+ 'hidden values' -+ ); -+ -+ st.deepEqual( -+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), -+ { -+ __proto__: null, -+ foo: { -+ __proto__: null, -+ bar: 'stuffs' -+ } -+ }, -+ 'hidden values: plain objects' -+ ); -+ -+ st.end(); -+ }); -+ - t.test('can return null objects', { skip: !Object.create }, function (st) { - var expected = Object.create(null); - expected.a = Object.create(null); --- -2.38.1 - diff --git a/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch new file mode 100644 index 0000000..c81988f --- /dev/null +++ b/SOURCES/0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch @@ -0,0 +1,52 @@ +From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid + stack overflow (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul + +Signed-off-by: rpm-build +--- + deps/cares/src/lib/ares_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/deps/cares/src/lib/ares_init.c ++++ b/deps/cares/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +-- +2.39.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 81b8048..da638c6 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -30,7 +30,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 2 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -42,7 +42,7 @@ %global nodejs_epoch 1 %global nodejs_major 14 %global nodejs_minor 21 -%global nodejs_patch 1 +%global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} %global nodejs_release %{baserelease} @@ -121,7 +121,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 17 +%global npm_patch 18 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk- Patch1: 0001-Disable-running-gyp-on-shared-deps.patch # Dependency vulnerabilities Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch -Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch +Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch +Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch BuildRequires: make BuildRequires: python3-devel @@ -679,7 +680,6 @@ end %doc %{_mandir}/man5/shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/disputes.7* %doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* @@ -696,6 +696,12 @@ end %changelog +* Mon Mar 06 2023 Jan Staněk - 1:14.21.3-1 +- Rebase to 14.21.3 + Resolves: rhbz#2153712 + Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900 + Resolves: CVE-2022-4904 + * Thu Dec 08 2022 Jan Staněk - 1:14.21.1-2 - Apply upstream fix for CVE-2022-24999 Resolves: CVE-2022-24999 @@ -704,7 +710,7 @@ end * Wed Nov 16 2022 Jan Staněk - 1:14.21.1-1 - Rebase to version 14.21.1 - Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517 + Resolves: rhbz#2129805 CVE-2022-43548 * Fri Oct 07 2022 Jan Staněk - 1:14.20.1-2 - Record issues fixed in the current version