From 59b7e4df64740ffe873bfffb399f7dcafe9e268b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 14 Dec 2022 18:21:33 +0000 Subject: [PATCH] import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47 --- .gitignore | 4 +- .nodejs.metadata | 4 +- ...1-Disable-running-gyp-on-shared-deps.patch | 15 ++- ...deps-ansi-regex-fix-potential-ReDoS.patch} | 5 +- ...ignore-__proto__-keys-CVE-2022-24999.patch | 98 +++++++++++++++++++ SPECS/nodejs.spec | 68 +++++++++---- 6 files changed, 160 insertions(+), 34 deletions(-) rename SOURCES/{0001-deps-ansi-regex-fix-potential-ReDoS.patch => 0002-deps-ansi-regex-fix-potential-ReDoS.patch} (96%) create mode 100644 SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch diff --git a/.gitignore b/.gitignore index a820bb2..c9ee73e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ +SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v14.20.1-stripped.tar.gz +SOURCES/node-v14.21.1-stripped.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 1a82f0b..d20d8cd 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,4 @@ +6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -78984f3659b168dc3712a1cbd49f43c0f62a299f SOURCES/node-v14.20.1-stripped.tar.gz +2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 361ea08..1a12d5f 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,19 +1,18 @@ -From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 +From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 +index 82281b5..9e65fc4 100644 --- a/Makefile +++ b/Makefile -@@ -136,11 +136,11 @@ endif - .PHONY: test-code-cache - with-code-cache test-code-cache: +@@ -143,7 +143,7 @@ with-code-cache test-code-cache: $(warning '$@' target is a noop) out/Makefile: config.gypi common.gypi node.gyp \ @@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - - # node_version.h is listed because the N-API version is taken from there -- -2.29.2 +2.38.1 diff --git a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch similarity index 96% rename from SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch rename to SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch index 3287b6c..e486e3e 100644 --- a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch +++ b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch @@ -1,4 +1,4 @@ -From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001 +From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Thu, 9 Dec 2021 15:48:46 +0100 Subject: [PATCH] deps(ansi-regex): fix potential ReDoS @@ -41,6 +41,5 @@ index c254480..9e37ec3 100644 ].join('|'); -- -2.36.1 - +2.38.1 diff --git a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch new file mode 100644 index 0000000..81064b3 --- /dev/null +++ b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch @@ -0,0 +1,98 @@ +From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001 +From: Jordan Harband +Date: Mon, 27 Dec 2021 19:15:57 -0800 +Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999) + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/qs/lib/parse.js | 2 +- + deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js +index 8c9872e..08e623a 100644 +--- a/deps/npm/node_modules/qs/lib/parse.js ++++ b/deps/npm/node_modules/qs/lib/parse.js +@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) { + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js +index 0f8fe45..3e93784 100644 +--- a/deps/npm/node_modules/qs/test/parse.js ++++ b/deps/npm/node_modules/qs/test/parse.js +@@ -515,6 +515,66 @@ test('parse()', function (t) { + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.test('can return null objects', { skip: !Object.create }, function (st) { + var expected = Object.create(null); + expected.a = Object.create(null); +-- +2.38.1 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index ed30860..81b8048 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -41,7 +41,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 14 -%global nodejs_minor 20 +%global nodejs_minor 21 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} @@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch - -Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch +# Dependency vulnerabilities +Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch +Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch BuildRequires: make BuildRequires: python3-devel @@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime. rm -rf deps/zlib rm -rf deps/brotli +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json + # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") @@ -668,35 +696,35 @@ end %changelog +* Thu Dec 08 2022 Jan Staněk - 1:14.21.1-2 +- Apply upstream fix for CVE-2022-24999 + Resolves: CVE-2022-24999 +- Record CVEs fixed by current or previous upstream releases + Resolves: CVE-2021-44906 + +* Wed Nov 16 2022 Jan Staněk - 1:14.21.1-1 +- Rebase to version 14.21.1 + Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517 + * Fri Oct 07 2022 Jan Staněk - 1:14.20.1-2 - Record issues fixed in the current version Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 - Resolves: CVE-2022-0235 * Thu Sep 29 2022 Jan Staněk - 1:14.20.1-1 - Rebase to version 14.20.1 Resolves: CVE-2022-35256 -* Tue Aug 02 2022 Zuzana Svetlikova - 1:14.20.0-1 +- Rebase to latest release +- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139 +- Remove libs patch +- Build without corepack + +* Wed May 25 2022 Jan Staněk - 1:14.18.2-2 - Replace with_* macros with RPM confitionals - Unify configure calls into single command - Refactor bootstrap-related parts - Decouple dependency bundling from bootstrapping -- Resolves: RHBZ#2111417 - -* Mon Jul 25 2022 Zuzana Svetlikova - 1:14.20.0-1 -- Rebase to latest version -- Resolves: RHBZ#2106367 -- CVE fixes for CVE-2022-32212/3/4/5 -- Resolves: #2109576, #2109579, #2109582, #2109585 - -* Tue Jan 11 2022 Zuzana Svetlikova - 1:14.18.2-3 -- Resolves: RHBZ#2029519 -- Add missing BZ to changelog - -* Mon Dec 13 2021 Zuzana Svetlikova - 1:14.18.2-2 -- Add missing fixes -- Resolves: RHBZ#2027641, RHBZ#2027634 * Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 - Resolves: RHBZ#2026325