import nodejs-14.21.3-1.module+el8.7.0+18531+81d21ca6
This commit is contained in:
parent
e356425f49
commit
5373039771
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,4 +1,4 @@
|
|||||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
SOURCES/icu4c-70_1-src.tgz
|
SOURCES/icu4c-70_1-src.tgz
|
||||||
SOURCES/node-v14.21.1-stripped.tar.gz
|
SOURCES/node-v14.21.3-stripped.tar.gz
|
||||||
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
|
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
|
||||||
2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
|
9929bfc056f9689ee30a088e923a81db640e39be SOURCES/node-v14.21.3-stripped.tar.gz
|
||||||
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||||
|
@ -0,0 +1,49 @@
|
|||||||
|
From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kornel <kornel@geekhood.net>
|
||||||
|
Date: Fri, 27 Jan 2023 01:20:38 +0000
|
||||||
|
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
|
||||||
|
whitespace
|
||||||
|
|
||||||
|
upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||||
|
index bcdaebe..e427106 100644
|
||||||
|
--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||||
|
+++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||||
|
@@ -21,7 +21,7 @@ function parseCacheControl(header) {
|
||||||
|
|
||||||
|
// TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
|
||||||
|
// the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
|
||||||
|
- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
|
||||||
|
+ var parts = header.trim().split(/,/);
|
||||||
|
for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) {
|
||||||
|
var _ref;
|
||||||
|
|
||||||
|
@@ -36,11 +36,11 @@ function parseCacheControl(header) {
|
||||||
|
|
||||||
|
var part = _ref;
|
||||||
|
|
||||||
|
- var _part$split = part.split(/\s*=\s*/, 2),
|
||||||
|
+ var _part$split = part.split(/=/, 2),
|
||||||
|
k = _part$split[0],
|
||||||
|
v = _part$split[1];
|
||||||
|
|
||||||
|
- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
|
||||||
|
+ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
|
||||||
|
}
|
||||||
|
|
||||||
|
return cc;
|
||||||
|
@@ -556,4 +556,4 @@ module.exports = function () {
|
||||||
|
};
|
||||||
|
|
||||||
|
return CachePolicy;
|
||||||
|
-}();
|
||||||
|
\ No newline at end of file
|
||||||
|
+}();
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jordan Harband <ljharb@gmail.com>
|
|
||||||
Date: Mon, 27 Dec 2021 19:15:57 -0800
|
|
||||||
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/npm/node_modules/qs/lib/parse.js | 2 +-
|
|
||||||
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
|
|
||||||
2 files changed, 61 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
|
|
||||||
index 8c9872e..08e623a 100644
|
|
||||||
--- a/deps/npm/node_modules/qs/lib/parse.js
|
|
||||||
+++ b/deps/npm/node_modules/qs/lib/parse.js
|
|
||||||
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
|
|
||||||
) {
|
|
||||||
obj = [];
|
|
||||||
obj[index] = leaf;
|
|
||||||
- } else {
|
|
||||||
+ } else if (cleanRoot !== '__proto__') {
|
|
||||||
obj[cleanRoot] = leaf;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
|
|
||||||
index 0f8fe45..3e93784 100644
|
|
||||||
--- a/deps/npm/node_modules/qs/test/parse.js
|
|
||||||
+++ b/deps/npm/node_modules/qs/test/parse.js
|
|
||||||
@@ -515,6 +515,66 @@ test('parse()', function (t) {
|
|
||||||
st.end();
|
|
||||||
});
|
|
||||||
|
|
||||||
+ t.test('dunder proto is ignored', function (st) {
|
|
||||||
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
|
|
||||||
+ var result = qs.parse(payload, { allowPrototypes: true });
|
|
||||||
+
|
|
||||||
+ st.deepEqual(
|
|
||||||
+ result,
|
|
||||||
+ {
|
|
||||||
+ categories: {
|
|
||||||
+ length: '42'
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ 'silent [[Prototype]] payload'
|
|
||||||
+ );
|
|
||||||
+
|
|
||||||
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
|
|
||||||
+
|
|
||||||
+ st.deepEqual(
|
|
||||||
+ plainResult,
|
|
||||||
+ {
|
|
||||||
+ __proto__: null,
|
|
||||||
+ categories: {
|
|
||||||
+ __proto__: null,
|
|
||||||
+ length: '42'
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ 'silent [[Prototype]] payload: plain objects'
|
|
||||||
+ );
|
|
||||||
+
|
|
||||||
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
|
|
||||||
+
|
|
||||||
+ st.notOk(Array.isArray(query.categories), 'is not an array');
|
|
||||||
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
|
|
||||||
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
|
|
||||||
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
|
|
||||||
+
|
|
||||||
+ st.deepEqual(
|
|
||||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
|
|
||||||
+ {
|
|
||||||
+ foo: {
|
|
||||||
+ bar: 'stuffs'
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ 'hidden values'
|
|
||||||
+ );
|
|
||||||
+
|
|
||||||
+ st.deepEqual(
|
|
||||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
|
|
||||||
+ {
|
|
||||||
+ __proto__: null,
|
|
||||||
+ foo: {
|
|
||||||
+ __proto__: null,
|
|
||||||
+ bar: 'stuffs'
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
+ 'hidden values: plain objects'
|
|
||||||
+ );
|
|
||||||
+
|
|
||||||
+ st.end();
|
|
||||||
+ });
|
|
||||||
+
|
|
||||||
t.test('can return null objects', { skip: !Object.create }, function (st) {
|
|
||||||
var expected = Object.create(null);
|
|
||||||
expected.a = Object.create(null);
|
|
||||||
--
|
|
||||||
2.38.1
|
|
||||||
|
|
@ -0,0 +1,52 @@
|
|||||||
|
From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001
|
||||||
|
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||||
|
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||||
|
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||||
|
stack overflow (#497)
|
||||||
|
|
||||||
|
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||||
|
the input str and initialize a sortlist configuration.
|
||||||
|
|
||||||
|
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||||
|
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||||
|
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||||
|
statements in the config_sortlist call, which could potentially cause severe
|
||||||
|
security impact in practical programs.
|
||||||
|
|
||||||
|
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||||
|
potential stack overflows.
|
||||||
|
|
||||||
|
fixes #496
|
||||||
|
|
||||||
|
Fix By: @hopper-vul
|
||||||
|
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||||
|
index de5d86c..d5858f6 100644
|
||||||
|
--- a/deps/cares/src/lib/ares_init.c
|
||||||
|
+++ b/deps/cares/src/lib/ares_init.c
|
||||||
|
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||||
|
q = str;
|
||||||
|
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||||
|
q++;
|
||||||
|
+ if (q-str >= 16)
|
||||||
|
+ return ARES_EBADSTR;
|
||||||
|
memcpy(ipbuf, str, q-str);
|
||||||
|
ipbuf[q-str] = '\0';
|
||||||
|
/* Find the prefix */
|
||||||
|
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||||
|
const char *str2 = q+1;
|
||||||
|
while (*q && *q != ';' && !ISSPACE(*q))
|
||||||
|
q++;
|
||||||
|
+ if (q-str >= 32)
|
||||||
|
+ return ARES_EBADSTR;
|
||||||
|
memcpy(ipbufpfx, str, q-str);
|
||||||
|
ipbufpfx[q-str] = '\0';
|
||||||
|
str = str2;
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -30,7 +30,7 @@
|
|||||||
# This is used by both the nodejs package and the npm subpackage that
|
# This is used by both the nodejs package and the npm subpackage that
|
||||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||||
# will bump this rather than adding .1 to the end.
|
# will bump this rather than adding .1 to the end.
|
||||||
%global baserelease 2
|
%global baserelease 1
|
||||||
|
|
||||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -42,7 +42,7 @@
|
|||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 14
|
%global nodejs_major 14
|
||||||
%global nodejs_minor 21
|
%global nodejs_minor 21
|
||||||
%global nodejs_patch 1
|
%global nodejs_patch 3
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
||||||
%global nodejs_release %{baserelease}
|
%global nodejs_release %{baserelease}
|
||||||
@ -121,7 +121,7 @@
|
|||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_major 6
|
%global npm_major 6
|
||||||
%global npm_minor 14
|
%global npm_minor 14
|
||||||
%global npm_patch 17
|
%global npm_patch 18
|
||||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||||
|
|
||||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||||
@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
|
|||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
# Dependency vulnerabilities
|
# Dependency vulnerabilities
|
||||||
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
|
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||||
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
|
Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
|
||||||
|
Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
@ -679,7 +680,6 @@ end
|
|||||||
%doc %{_mandir}/man5/shrinkwrap-json.5*
|
%doc %{_mandir}/man5/shrinkwrap-json.5*
|
||||||
%doc %{_mandir}/man7/config.7*
|
%doc %{_mandir}/man7/config.7*
|
||||||
%doc %{_mandir}/man7/developers.7*
|
%doc %{_mandir}/man7/developers.7*
|
||||||
%doc %{_mandir}/man7/disputes.7*
|
|
||||||
%doc %{_mandir}/man7/orgs.7*
|
%doc %{_mandir}/man7/orgs.7*
|
||||||
%doc %{_mandir}/man7/registry.7*
|
%doc %{_mandir}/man7/registry.7*
|
||||||
%doc %{_mandir}/man7/removal.7*
|
%doc %{_mandir}/man7/removal.7*
|
||||||
@ -696,6 +696,12 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 1:14.21.3-1
|
||||||
|
- Rebase to 14.21.3
|
||||||
|
Resolves: rhbz#2153712
|
||||||
|
Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900
|
||||||
|
Resolves: CVE-2022-4904
|
||||||
|
|
||||||
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
|
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
|
||||||
- Apply upstream fix for CVE-2022-24999
|
- Apply upstream fix for CVE-2022-24999
|
||||||
Resolves: CVE-2022-24999
|
Resolves: CVE-2022-24999
|
||||||
@ -704,7 +710,7 @@ end
|
|||||||
|
|
||||||
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
|
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
|
||||||
- Rebase to version 14.21.1
|
- Rebase to version 14.21.1
|
||||||
Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
|
Resolves: rhbz#2129805 CVE-2022-43548
|
||||||
|
|
||||||
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
|
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
|
||||||
- Record issues fixed in the current version
|
- Record issues fixed in the current version
|
||||||
|
Loading…
Reference in New Issue
Block a user