import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47

This commit is contained in:
CentOS Sources 2022-12-14 18:21:33 +00:00 committed by Stepan Oksanichenko
parent 74f5f9295b
commit 59b7e4df64
6 changed files with 160 additions and 34 deletions

4
.gitignore vendored
View File

@ -1,2 +1,4 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-70_1-src.tgz
SOURCES/node-v14.20.1-stripped.tar.gz
SOURCES/node-v14.21.1-stripped.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz

View File

@ -1,2 +1,4 @@
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
78984f3659b168dc3712a1cbd49f43c0f62a299f SOURCES/node-v14.20.1-stripped.tar.gz
2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz

View File

@ -1,19 +1,18 @@
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps
Subject: [PATCH] Disable running gyp on shared deps
Signed-off-by: rpm-build <rpm-build>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
index 82281b5..9e65fc4 100644
--- a/Makefile
+++ b/Makefile
@@ -136,11 +136,11 @@ endif
.PHONY: test-code-cache
with-code-cache test-code-cache:
@@ -143,7 +143,7 @@ with-code-cache test-code-cache:
$(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
# node_version.h is listed because the N-API version is taken from there
--
2.29.2
2.38.1

View File

@ -1,4 +1,4 @@
From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 9 Dec 2021 15:48:46 +0100
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
@ -41,6 +41,5 @@ index c254480..9e37ec3 100644
].join('|');
--
2.36.1
2.38.1

View File

@ -0,0 +1,98 @@
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Mon, 27 Dec 2021 19:15:57 -0800
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/qs/lib/parse.js | 2 +-
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
index 8c9872e..08e623a 100644
--- a/deps/npm/node_modules/qs/lib/parse.js
+++ b/deps/npm/node_modules/qs/lib/parse.js
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
) {
obj = [];
obj[index] = leaf;
- } else {
+ } else if (cleanRoot !== '__proto__') {
obj[cleanRoot] = leaf;
}
}
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
index 0f8fe45..3e93784 100644
--- a/deps/npm/node_modules/qs/test/parse.js
+++ b/deps/npm/node_modules/qs/test/parse.js
@@ -515,6 +515,66 @@ test('parse()', function (t) {
st.end();
});
+ t.test('dunder proto is ignored', function (st) {
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+ var result = qs.parse(payload, { allowPrototypes: true });
+
+ st.deepEqual(
+ result,
+ {
+ categories: {
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload'
+ );
+
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+ st.deepEqual(
+ plainResult,
+ {
+ __proto__: null,
+ categories: {
+ __proto__: null,
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload: plain objects'
+ );
+
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+ st.notOk(Array.isArray(query.categories), 'is not an array');
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+ {
+ foo: {
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values'
+ );
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+ {
+ __proto__: null,
+ foo: {
+ __proto__: null,
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values: plain objects'
+ );
+
+ st.end();
+ });
+
t.test('can return null objects', { skip: !Object.create }, function (st) {
var expected = Object.create(null);
expected.a = Object.create(null);
--
2.38.1

View File

@ -41,7 +41,7 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 14
%global nodejs_minor 20
%global nodejs_minor 21
%global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh
# nodejs-packaging SRPM.
Source7: nodejs_native.attr
# These are full sources for dependencies included as WASM blobs in the source of Node itself.
# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
# Recipes for creating these blobs are included in the sources.
# Version: jq '.version' deps/cjs-module-lexer/package.json
# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
Source101: cjs-module-lexer-1.2.2.tar.gz
# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
# Version source: Makefile
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
# Dependency vulnerabilities
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
BuildRequires: make
BuildRequires: python3-devel
@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime.
rm -rf deps/zlib
rm -rf deps/brotli
# check for correct versions of dependencies we are bundling
check_wasm_dep() {
local -r name="$1" source="$2" packagejson="$3"
local -r expected_version="$(jq -r '.version' "${packagejson}")"
if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
printf '%s version matches\n' "${name}" >&2
else
printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
return 1
fi
}
check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
# Replace any instances of unversioned python' with python3
%if %{with python3_fixup}
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
@ -668,35 +696,35 @@ end
%changelog
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
- Apply upstream fix for CVE-2022-24999
Resolves: CVE-2022-24999
- Record CVEs fixed by current or previous upstream releases
Resolves: CVE-2021-44906
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
- Rebase to version 14.21.1
Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
- Record issues fixed in the current version
Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
Resolves: CVE-2022-0235
* Thu Sep 29 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-1
- Rebase to version 14.20.1
Resolves: CVE-2022-35256
* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
* Mon Aug 22 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
- Rebase to latest release
- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139
- Remove libs patch
- Build without corepack
* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
- Replace with_* macros with RPM confitionals
- Unify configure calls into single command
- Refactor bootstrap-related parts
- Decouple dependency bundling from bootstrapping
- Resolves: RHBZ#2111417
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
- Rebase to latest version
- Resolves: RHBZ#2106367
- CVE fixes for CVE-2022-32212/3/4/5
- Resolves: #2109576, #2109579, #2109582, #2109585
* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
- Resolves: RHBZ#2029519
- Add missing BZ to changelog
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
- Add missing fixes
- Resolves: RHBZ#2027641, RHBZ#2027634
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
- Resolves: RHBZ#2026325