rpms/nodejs
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import nodejs-14.18.2-2.module+el8.7.0+15353+12925ea4

Browse Source
This commit is contained in:
CentOS Sources 2022-05-30 18:28:06 +00:00 committed by Stepan Oksanichenko
parent b73b1e76e3
commit 592c0a96a5
3 changed files with 63 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
View File

@ -1,74 +0,0 @@
From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 9 Dec 2021 15:48:46 +0100
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
This is the upstream fix [1] applied to all applicable bundled deps.
[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
Fixes: CVE-2021-3807
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js | 2 +-
.../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +-
.../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +-
deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
index c254480..9e37ec3 100644
--- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
@@ -6,7 +6,7 @@ module.exports = options => {
}, options);
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
].join('|');
diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
index c4aaecf..7d32201 100644
--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
@@ -2,7 +2,7 @@
module.exports = () => {
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
].join('|');
diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
index c254480..9e37ec3 100644
--- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
@@ -6,7 +6,7 @@ module.exports = options => {
}, options);
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
].join('|');
diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
index c254480..9e37ec3 100644
--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
@@ -6,7 +6,7 @@ module.exports = options => {
}, options);
const pattern = [
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
].join('|');
--
2.33.1

73
SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch
View File

@ -1,73 +0,0 @@
From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 9 Dec 2021 13:01:08 +0100
Subject: [PATCH] deps(json-schema): protect against prototype pollution
Amalgamation of the following upstream patches:
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
Fixes: CVE-2021-3918
Signed-off-by: rpm-build <rpm-build>
---
.../node_modules/json-schema/lib/validate.js | 4 +--
.../node_modules/json-schema/test/tests.js | 28 ++++++++++++++++++-
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
index 4b61088..d05ee86 100644
--- a/deps/npm/node_modules/json-schema/lib/validate.js
+++ b/deps/npm/node_modules/json-schema/lib/validate.js
@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
}
for(var i in objTypeDef){
- if(objTypeDef.hasOwnProperty(i)){
- var value = instance[i];
+ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
+ var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
// skip _not_ specified properties
if (value === undefined && options.existingOnly) continue;
var propDef = objTypeDef[i];
diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
index 40eeda5..70f515a 100644
--- a/deps/npm/node_modules/json-schema/test/tests.js
+++ b/deps/npm/node_modules/json-schema/test/tests.js
@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
'Json-Ref self-validates': assertSelfValidates('json-ref'),
'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
- 'Json-Ref/Core': assertValidates('json-ref', 'schema')
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema'),
+ prototypePollution: function() {
+ console.log('testing')
+ const instance = JSON.parse(`
+ {
+ "$schema":{
+ "type": "object",
+ "properties":{
+ "__proto__": {
+ "type": "object",
+
+ "properties":{
+ "polluted": {
+ "type": "string",
+ "default": "polluted"
+ }
+ }
+ }
+ },
+ "__proto__": {}
+ }
+ }`);
+
+ const a = {};
+ validate(instance);
+ assert.equal(a.polluted, undefined);
+ }
}).export(module);
--
2.33.1

156
SPECS/nodejs.spec
View File

@ -1,18 +1,34 @@
%global with_debug 0
%global with_libs 0
%bcond_with debug
%bcond_with libs
# PowerPC, s390x and aarch64 segfault during Debug builds
# https://github.com/nodejs/node/issues/20642
%ifarch %{power64} s390x aarch64
%global with_debug 0
%bcond_with debug
%endif
# bundle dependencies that are not available as Fedora modules
# The following macros control the usage of dependencies bundled from upstream.
#
# When to use what:
# - Regular (presumably non-modular) build: use neither (the default in Fedora)
# - Early bootstrapping build that is not intended to be shipped:
# use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix
# - Build with some dependencies not avalaible in necessary versions (i.e. module build):
# use --with=bundled; will bundle deps, but do not add the suffix
#
# create bootstrapping build with bundled deps and extra release suffix
%bcond_with bootstrap
# bundle dependencies that are not available as Fedora modules
%if %{with bootstrap}
%bcond_without bundled
%else
%bcond_with bundled
%endif
%bcond_without python3_fixup
# == Master Relase ==
# This is used by both the nodejs package and the npm subpackage thar
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 2
@ -29,7 +45,7 @@
%global nodejs_minor 18
%global nodejs_patch 2
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1
%if %{with libs}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 83
%endif
@ -160,7 +176,7 @@ Source7: nodejs_native.attr
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
%if %{?with_libs} == 1
%if %{with libs}
# Patch to install both node and libnode.so, using the correct libdir
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif
@ -169,9 +185,6 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch
# https://github.com/nodejs/node/issues/34903
Patch3: 0004-always-available-fips-options.patch
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
Patch5: 0002-deps-json-schema-protect-against-prototype-pollution.patch
BuildRequires: make
BuildRequires: python3-devel
BuildRequires: zlib-devel
@ -186,12 +199,16 @@ BuildRequires: chrpath
BuildRequires: libatomic
BuildRequires: systemtap-sdt-devel
%if %{with bootstrap}
%if %{with bundled}
Provides: bundled(libuv) = %{libuv_version}
Provides: bundled(nghttp2) = %{nghttp2_version}
%else
BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv >= 1:%{libuv_version}
%endif
%if %{with bundled}
Provides: bundled(nghttp2) = %{nghttp2_version}
%else
BuildRequires: libnghttp2-devel >= %{nghttp2_version}
Requires: libnghttp2 >= %{nghttp2_version}
%endif
@ -206,7 +223,7 @@ Requires: openssl >= %{openssl_minimum}
# we need the system certificate store
Requires: ca-certificates
%if %{?with_libs} == 1
%if %{with libs}
Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
%endif
@ -287,9 +304,7 @@ Requires: zlib-devel%{?_isa}
Requires: brotli-devel%{?_isa}
Requires: nodejs-packaging
%if %{with bootstrap}
# deps are bundled
%else
%if %{without bundled}
Requires: libuv-devel%{?_isa}
%endif
@ -297,7 +312,7 @@ Requires: libuv-devel%{?_isa}
Development headers for the Node.js JavaScript runtime.
%if %{?with_libs} == 1
%if %{with libs}
%package libs
Summary: Node.js and v8 libraries
@ -331,7 +346,7 @@ Optional data files to provide full-icu support for Node.js. Remove this
package to save space if non-English locales are not needed.
%if %{?with_libs} == 1
%if %{with libs}
%package -n v8-devel
Summary: v8 - development headers
Epoch: %{v8_epoch}
@ -416,76 +431,29 @@ export CXX='g++'
# build with debugging symbols and add defines from libuv (#892601)
# Node's v8 breaks with GCC 6 because of incorrect usage of methods on
# NULL objects. We need to pass -fno-delete-null-pointer-checks
export CFLAGS='%{optflags} \
-D_LARGEFILE_SOURCE \
-D_FILE_OFFSET_BITS=64 \
-DZLIB_CONST \
-fno-delete-null-pointer-checks'
export CXXFLAGS='%{optflags} \
-D_LARGEFILE_SOURCE \
-D_FILE_OFFSET_BITS=64 \
-DZLIB_CONST \
-fno-delete-null-pointer-checks'
# Explicit new lines in C(XX)FLAGS can break naive build scripts
export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')"
export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
extra_cflags=(
-D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64
-DZLIB_CONST
-fno-delete-null-pointer-checks
)
export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
export LDFLAGS="%{build_ldflags}"
%if %{?with_libs} == 1
%if %{with bootstrap}
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
%{?with_libs:--shared --libdir=%{_lib}} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%else
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--shared-libuv \
--shared-nghttp2 \
--with-dtrace \
%{!?with_bundled:--shared-libuv} \
%{!?with_bundled:--shared-nghttp2} \
%{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%endif
%else
%if %{with bootstrap}
%{__python3} configure.py --prefix=%{_prefix} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%else
%{__python3} configure.py --prefix=%{_prefix} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--shared-libuv \
--shared-nghttp2 \
--with-dtrace \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%endif
%endif
%if %{?with_debug} == 1
%if %{with debug}
# Setting BUILDTYPE=Debug builds both release and debug binaries
make BUILDTYPE=Debug %{?_smp_mflags}
%else
@ -531,12 +499,12 @@ rm -rf %{buildroot}
chmod 0755 %{buildroot}/%{_bindir}/node
chrpath --delete %{buildroot}%{_bindir}/node
%if %{?with_debug} == 1
%if %{with debug}
# Install the debug binary and set its permissions
install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
%endif
%if %{?with_libs} == 1
%if %{with libs}
# Install library symlink
ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so
@ -623,7 +591,7 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
%check
%if %{?with_libs} == 1
%if %{with libs}
# Fail the build if the versions don't match
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
@ -715,7 +683,7 @@ if st and st.type == "directory" then
end
%if %{?with_libs} == 1
%if %{with libs}
%pretrans -n v8-devel -p <lua>
-- Replace the v8 libplatform include directory with a symlink
-- Drop this scriptlet when F30 is EOL
@ -743,9 +711,7 @@ end
%dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/node.stp
%if %{with bootstrap}
# no dtrace
%else
%if %{without bundled}
%dir %{_usr}/lib/dtrace
%{_usr}/lib/dtrace/node.d
%endif
@ -758,13 +724,9 @@ end
%files devel
%if %{?with_debug} == 1
%{_bindir}/node_g
%endif
%{?with_debug:%{_bindir}/node_g}
%{_includedir}/node
%if %{?with_libs} == 1
%{_libdir}/libnode.so
%endif
%{?with_libs:%{_libdir}/libnode.so}
%{_datadir}/node/common.gypi
%{_pkgdocdir}/gdbinit
@ -774,7 +736,7 @@ end
%{icudatadir}/icudt%{icu_major}*.dat
%if %{?with_libs} == 1
%if %{with libs}
%files libs
%{_libdir}/libnode.so.%{nodejs_soversion}
%{_libdir}/libv8.so.%{v8_major}
@ -829,13 +791,15 @@ end
%changelog
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
- Add missing fixes
- Resolves: RHBZ#2027642, RHBZ#2027635
* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
- Replace with_* macros with RPM confitionals
- Unify configure calls into single command
- Refactor bootstrap-related parts
- Decouple dependency bundling from bootstrapping
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
- Resolves: RHBZ#2027609
- Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635
- Resolves: RHBZ#2026325
- Resolves: RHBZ#2014130, RHBZ#2014124, RHBZ#2013826, RHBZ#2024921
- Rebase to new version to fix CVEs
* Tue Aug 17 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.5-1