diff --git a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch deleted file mode 100644 index b23946b..0000000 --- a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch +++ /dev/null @@ -1,74 +0,0 @@ -From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 9 Dec 2021 15:48:46 +0100 -Subject: [PATCH] deps(ansi-regex): fix potential ReDoS - -This is the upstream fix [1] applied to all applicable bundled deps. - -[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 - -Fixes: CVE-2021-3807 -Signed-off-by: rpm-build ---- - deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js | 2 +- - .../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +- - .../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +- - deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js -index c254480..9e37ec3 100644 ---- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js -@@ -6,7 +6,7 @@ module.exports = options => { - }, options); - - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -index c4aaecf..7d32201 100644 ---- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js -@@ -2,7 +2,7 @@ - - module.exports = () => { - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js -index c254480..9e37ec3 100644 ---- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js -@@ -6,7 +6,7 @@ module.exports = options => { - }, options); - - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -index c254480..9e37ec3 100644 ---- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js -@@ -6,7 +6,7 @@ module.exports = options => { - }, options); - - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - --- -2.33.1 - - diff --git a/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch b/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch deleted file mode 100644 index 2f0a58b..0000000 --- a/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Thu, 9 Dec 2021 13:01:08 +0100 -Subject: [PATCH] deps(json-schema): protect against prototype pollution - -Amalgamation of the following upstream patches: -https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741 -https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a -https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa - -Fixes: CVE-2021-3918 -Signed-off-by: rpm-build ---- - .../node_modules/json-schema/lib/validate.js | 4 +-- - .../node_modules/json-schema/test/tests.js | 28 ++++++++++++++++++- - 2 files changed, 29 insertions(+), 3 deletions(-) - -diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js -index 4b61088..d05ee86 100644 ---- a/deps/npm/node_modules/json-schema/lib/validate.js -+++ b/deps/npm/node_modules/json-schema/lib/validate.js -@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O - } - - for(var i in objTypeDef){ -- if(objTypeDef.hasOwnProperty(i)){ -- var value = instance[i]; -+ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){ -+ var value = instance.hasOwnProperty(i) ? instance[i] : undefined; - // skip _not_ specified properties - if (value === undefined && options.existingOnly) continue; - var propDef = objTypeDef[i]; -diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js -index 40eeda5..70f515a 100644 ---- a/deps/npm/node_modules/json-schema/test/tests.js -+++ b/deps/npm/node_modules/json-schema/test/tests.js -@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({ - - 'Json-Ref self-validates': assertSelfValidates('json-ref'), - 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'), -- 'Json-Ref/Core': assertValidates('json-ref', 'schema') -+ 'Json-Ref/Core': assertValidates('json-ref', 'schema'), -+ prototypePollution: function() { -+ console.log('testing') -+ const instance = JSON.parse(` -+ { -+ "$schema":{ -+ "type": "object", -+ "properties":{ -+ "__proto__": { -+ "type": "object", -+ -+ "properties":{ -+ "polluted": { -+ "type": "string", -+ "default": "polluted" -+ } -+ } -+ } -+ }, -+ "__proto__": {} -+ } -+ }`); -+ -+ const a = {}; -+ validate(instance); -+ assert.equal(a.polluted, undefined); -+ } - }).export(module); --- -2.33.1 - - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 7acefba..1cdcca4 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -1,18 +1,34 @@ -%global with_debug 0 -%global with_libs 0 +%bcond_with debug +%bcond_with libs # PowerPC, s390x and aarch64 segfault during Debug builds # https://github.com/nodejs/node/issues/20642 %ifarch %{power64} s390x aarch64 -%global with_debug 0 +%bcond_with debug %endif -# bundle dependencies that are not available as Fedora modules +# The following macros control the usage of dependencies bundled from upstream. +# +# When to use what: +# - Regular (presumably non-modular) build: use neither (the default in Fedora) +# - Early bootstrapping build that is not intended to be shipped: +# use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix +# - Build with some dependencies not avalaible in necessary versions (i.e. module build): +# use --with=bundled; will bundle deps, but do not add the suffix +# +# create bootstrapping build with bundled deps and extra release suffix %bcond_with bootstrap +# bundle dependencies that are not available as Fedora modules +%if %{with bootstrap} +%bcond_without bundled +%else +%bcond_with bundled +%endif + %bcond_without python3_fixup # == Master Relase == -# This is used by both the nodejs package and the npm subpackage thar +# This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. %global baserelease 2 @@ -29,7 +45,7 @@ %global nodejs_minor 18 %global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} -%if %{?with_libs} == 1 +%if %{with libs} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 83 %endif @@ -160,7 +176,7 @@ Source7: nodejs_native.attr # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch -%if %{?with_libs} == 1 +%if %{with libs} # Patch to install both node and libnode.so, using the correct libdir Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif @@ -169,9 +185,6 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch # https://github.com/nodejs/node/issues/34903 Patch3: 0004-always-available-fips-options.patch -Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch -Patch5: 0002-deps-json-schema-protect-against-prototype-pollution.patch - BuildRequires: make BuildRequires: python3-devel BuildRequires: zlib-devel @@ -186,14 +199,18 @@ BuildRequires: chrpath BuildRequires: libatomic BuildRequires: systemtap-sdt-devel -%if %{with bootstrap} -Provides: bundled(libuv) = %{libuv_version} -Provides: bundled(nghttp2) = %{nghttp2_version} +%if %{with bundled} +Provides: bundled(libuv) = %{libuv_version} %else BuildRequires: libuv-devel >= 1:%{libuv_version} -Requires: libuv >= 1:%{libuv_version} +Requires: libuv >= 1:%{libuv_version} +%endif + +%if %{with bundled} +Provides: bundled(nghttp2) = %{nghttp2_version} +%else BuildRequires: libnghttp2-devel >= %{nghttp2_version} -Requires: libnghttp2 >= %{nghttp2_version} +Requires: libnghttp2 >= %{nghttp2_version} %endif # Temporarily bundle llhttp because the upstream doesn't @@ -206,7 +223,7 @@ Requires: openssl >= %{openssl_minimum} # we need the system certificate store Requires: ca-certificates -%if %{?with_libs} == 1 +%if %{with libs} Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release} %endif @@ -287,9 +304,7 @@ Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} Requires: nodejs-packaging -%if %{with bootstrap} -# deps are bundled -%else +%if %{without bundled} Requires: libuv-devel%{?_isa} %endif @@ -297,7 +312,7 @@ Requires: libuv-devel%{?_isa} Development headers for the Node.js JavaScript runtime. -%if %{?with_libs} == 1 +%if %{with libs} %package libs Summary: Node.js and v8 libraries @@ -331,7 +346,7 @@ Optional data files to provide full-icu support for Node.js. Remove this package to save space if non-English locales are not needed. -%if %{?with_libs} == 1 +%if %{with libs} %package -n v8-devel Summary: v8 - development headers Epoch: %{v8_epoch} @@ -416,76 +431,29 @@ export CXX='g++' # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on # NULL objects. We need to pass -fno-delete-null-pointer-checks -export CFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' -export CXXFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' - -# Explicit new lines in C(XX)FLAGS can break naive build scripts -export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')" -export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" - +extra_cflags=( + -D_LARGEFILE_SOURCE + -D_FILE_OFFSET_BITS=64 + -DZLIB_CONST + -fno-delete-null-pointer-checks +) +export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}" export LDFLAGS="%{build_ldflags}" -%if %{?with_libs} == 1 -%if %{with bootstrap} %{__python3} configure.py --prefix=%{_prefix} \ - --shared \ - --libdir=%{_lib} \ + %{?with_libs:--shared --libdir=%{_lib}} \ --shared-openssl \ --shared-zlib \ --shared-brotli \ - --without-dtrace \ - --with-intl=small-icu \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM -%else -%{__python3} configure.py --prefix=%{_prefix} \ - --shared \ - --libdir=%{_lib} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --shared-libuv \ - --shared-nghttp2 \ - --with-dtrace \ + %{!?with_bundled:--shared-libuv} \ + %{!?with_bundled:--shared-nghttp2} \ + %{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ --openssl-use-def-ca-store \ --openssl-default-cipher-list=PROFILE=SYSTEM -%endif -%else -%if %{with bootstrap} -%{__python3} configure.py --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --without-dtrace \ - --with-intl=small-icu \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM -%else -%{__python3} configure.py --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --shared-libuv \ - --shared-nghttp2 \ - --with-dtrace \ - --with-intl=small-icu \ - --with-icu-default-data-dir=%{icudatadir} \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM -%endif -%endif -%if %{?with_debug} == 1 +%if %{with debug} # Setting BUILDTYPE=Debug builds both release and debug binaries make BUILDTYPE=Debug %{?_smp_mflags} %else @@ -531,12 +499,12 @@ rm -rf %{buildroot} chmod 0755 %{buildroot}/%{_bindir}/node chrpath --delete %{buildroot}%{_bindir}/node -%if %{?with_debug} == 1 +%if %{with debug} # Install the debug binary and set its permissions install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g %endif -%if %{?with_libs} == 1 +%if %{with libs} # Install library symlink ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so @@ -623,7 +591,7 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/* %check -%if %{?with_libs} == 1 +%if %{with libs} # Fail the build if the versions don't match LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')" LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')" @@ -715,7 +683,7 @@ if st and st.type == "directory" then end -%if %{?with_libs} == 1 +%if %{with libs} %pretrans -n v8-devel -p -- Replace the v8 libplatform include directory with a symlink -- Drop this scriptlet when F30 is EOL @@ -743,9 +711,7 @@ end %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/node.stp -%if %{with bootstrap} -# no dtrace -%else +%if %{without bundled} %dir %{_usr}/lib/dtrace %{_usr}/lib/dtrace/node.d %endif @@ -758,13 +724,9 @@ end %files devel -%if %{?with_debug} == 1 -%{_bindir}/node_g -%endif +%{?with_debug:%{_bindir}/node_g} %{_includedir}/node -%if %{?with_libs} == 1 -%{_libdir}/libnode.so -%endif +%{?with_libs:%{_libdir}/libnode.so} %{_datadir}/node/common.gypi %{_pkgdocdir}/gdbinit @@ -774,7 +736,7 @@ end %{icudatadir}/icudt%{icu_major}*.dat -%if %{?with_libs} == 1 +%if %{with libs} %files libs %{_libdir}/libnode.so.%{nodejs_soversion} %{_libdir}/libv8.so.%{v8_major} @@ -829,13 +791,15 @@ end %changelog -* Mon Dec 13 2021 Zuzana Svetlikova - 1:14.18.2-2 -- Add missing fixes -- Resolves: RHBZ#2027642, RHBZ#2027635 +* Wed May 25 2022 Jan Staněk - 1:14.18.2-2 +- Replace with_* macros with RPM confitionals +- Unify configure calls into single command +- Refactor bootstrap-related parts +- Decouple dependency bundling from bootstrapping * Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 -- Resolves: RHBZ#2027609 -- Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635 +- Resolves: RHBZ#2026325 +- Resolves: RHBZ#2014130, RHBZ#2014124, RHBZ#2013826, RHBZ#2024921 - Rebase to new version to fix CVEs * Tue Aug 17 2021 Zuzana Svetlikova - 1:14.17.5-1