deps(cares): update to 1.19.1

This commit is contained in:
Jan Staněk 2023-05-30 13:49:14 +02:00
parent c0fd38de1e
commit 59aab539ea
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D
6 changed files with 16778 additions and 142 deletions

View File

@ -1,19 +1,18 @@
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 From 8a45f34d9d74d59879973210cf06f4383b9832b8 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com> From: rpm-build <rpm-build>
Date: Fri, 17 Apr 2020 12:59:44 +0200 Date: Tue, 30 May 2023 13:12:35 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps Subject: [PATCH] Disable running gyp on shared deps
Signed-off-by: rpm-build <rpm-build>
--- ---
Makefile | 2 +- Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 index 6d6f2e4..88e1a11 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -136,11 +136,11 @@ endif @@ -148,7 +148,7 @@ with-code-cache test-code-cache:
.PHONY: test-code-cache
with-code-cache test-code-cache:
$(warning '$@' target is a noop) $(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \ out/Makefile: config.gypi common.gypi node.gyp \
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make $(PYTHON) tools/gyp_node.py -f make
# node_version.h is listed because the N-API version is taken from there
-- --
2.29.2 2.40.1

View File

@ -1,72 +0,0 @@
From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 27 Sep 2022 13:48:12 +0200
Subject: [PATCH] Install both binaries and use libdir
Signed-off-by: rpm-build <rpm-build>
---
configure.py | 7 +++++++
tools/install.py | 8 +++++---
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/configure.py b/configure.py
index 1a7023d..b16db0c 100755
--- a/configure.py
+++ b/configure.py
@@ -739,6 +739,12 @@ parser.add_argument('--shared',
help='compile shared library for embedding node in another project. ' +
'(This mode is not officially supported for regular applications)')
+parser.add_argument('--libdir',
+ action='store',
+ dest='libdir',
+ default='lib',
+ help='a directory to install the shared library into')
+
parser.add_argument('--without-v8-platform',
action='store_true',
dest='without_v8_platform',
@@ -1368,6 +1374,7 @@ def configure_node(o):
o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
o['variables']['node_shared'] = b(options.shared)
+ o['variables']['libdir'] = options.libdir
node_module_version = getmoduleversion.get_version()
if options.dest_os == 'android':
diff --git a/tools/install.py b/tools/install.py
index a6d1f8b..e3ef9d7 100755
--- a/tools/install.py
+++ b/tools/install.py
@@ -144,6 +144,7 @@ def files(action):
is_windows = sys.platform == 'win32'
output_file = 'node'
output_prefix = 'out/Release/'
+ output_libprefix = output_prefix
if is_windows:
output_file += '.exe'
@@ -151,8 +152,8 @@ def files(action):
if 'true' == variables.get('node_shared'):
if is_windows:
- action([output_prefix + 'libnode.dll'], 'bin/libnode.dll')
- action([output_prefix + 'libnode.lib'], 'lib/libnode.lib')
+ action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll')
+ action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib')
elif sys.platform == 'zos':
# GYP will output to lib.target; see _InstallableTargetInstallPath
# function in tools/gyp/pylib/gyp/generator/make.py
@@ -176,7 +177,8 @@ def files(action):
try_symlink(so_name, link_path)
else:
output_lib = 'libnode.' + variables.get('shlib_suffix')
- action([output_prefix + output_lib], 'lib/' + output_lib)
+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
+
if 'true' == variables.get('node_use_dtrace'):
action(['out/Release/node.d'], 'lib/dtrace/node.d')
--
2.37.3

View File

@ -1,4 +1,4 @@
From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001 From abe534dda44a10e1b80a206c996f2e0e42298f7f Mon Sep 17 00:00:00 2001
From: Kornel <kornel@geekhood.net> From: Kornel <kornel@geekhood.net>
Date: Fri, 27 Jan 2023 01:20:38 +0000 Date: Fri, 27 Jan 2023 01:20:38 +0000
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
@ -41,5 +41,5 @@ index 897798d..79c020a 100644
"repository": "https://github.com/kornelski/http-cache-semantics.git", "repository": "https://github.com/kornelski/http-cache-semantics.git",
"main": "index.js", "main": "index.js",
-- --
2.39.2 2.40.1

View File

@ -1,53 +0,0 @@
From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
Date: Wed, 18 Jan 2023 22:14:26 +0800
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
stack overflow (#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes #496
Fix By: @hopper-vul
Resolves: CVE-2022-4904
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
index de5d86c..d5858f6 100644
--- a/deps/cares/src/lib/ares_init.c
+++ b/deps/cares/src/lib/ares_init.c
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
--
2.39.2

File diff suppressed because it is too large Load Diff

View File

@ -30,7 +30,7 @@
# This is used by both the nodejs package and the npm subpackage that # This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec # has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end. # will bump this rather than adding .1 to the end.
%global baserelease 1 %global baserelease 2
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -66,7 +66,7 @@
# c-ares - from deps/cares/include/ares_version.h # c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.18.1 %global c_ares_version 1.19.1
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 6.0.10 %global llhttp_version 6.0.10
@ -181,8 +181,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# CVE-2022-25881 # CVE-2022-25881
Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
# CVE-2022-4904 Patch3: 0003-deps-update-c-ares-to-1.19.1.patch
Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -724,6 +723,10 @@ end
%changelog %changelog
* Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
- Update bundled c-ares to 1.19.1
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
* Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.19.1-1 * Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.19.1-1
- Rebase to 16.19.1 - Rebase to 16.19.1
- Resolves: rhbz#2153714 - Resolves: rhbz#2153714