import nodejs-10.23.1-1.module+el8.3.0+9502+012d8a97
This commit is contained in:
parent
cfd152fae3
commit
61d8617731
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/icu4c-64_2-src.tgz
|
||||
SOURCES/node-v10.22.1-stripped.tar.gz
|
||||
SOURCES/node-v10.23.1-stripped.tar.gz
|
||||
|
@ -1,2 +1,2 @@
|
||||
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
|
||||
a01d2d98c34466fa8fe50658fbddae1bcc11b486 SOURCES/node-v10.22.1-stripped.tar.gz
|
||||
21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz
|
||||
|
@ -0,0 +1,13 @@
|
||||
diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
|
||||
index d720681628..727362aac0 100644
|
||||
--- a/deps/npm/node_modules/y18n/index.js
|
||||
+++ b/deps/npm/node_modules/y18n/index.js
|
||||
@@ -11,7 +11,7 @@ function Y18N (opts) {
|
||||
this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
|
||||
|
||||
// internal stuff.
|
||||
- this.cache = {}
|
||||
+ this.cache = Object.create(null)
|
||||
this.writeQueue = []
|
||||
}
|
||||
|
@ -1,103 +0,0 @@
|
||||
From 6aaa4f232f872ffbb60b8a2e2282748e22a9891f Mon Sep 17 00:00:00 2001
|
||||
From: Marco Carini <cmdcarini@gmail.com>
|
||||
Date: Mon, 3 Aug 2020 17:16:07 -0500
|
||||
Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++
|
||||
deps/npm/node_modules/dot-prop/package.json | 6 +++---
|
||||
deps/npm/node_modules/dot-prop/readme.md | 2 ++
|
||||
3 files changed, 23 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
|
||||
index 15282bb..189831c 100644
|
||||
--- a/deps/npm/node_modules/dot-prop/index.js
|
||||
+++ b/deps/npm/node_modules/dot-prop/index.js
|
||||
@@ -1,6 +1,14 @@
|
||||
'use strict';
|
||||
const isObj = require('is-obj');
|
||||
|
||||
+const disallowedKeys = [
|
||||
+ '__proto__',
|
||||
+ 'prototype',
|
||||
+ 'constructor'
|
||||
+];
|
||||
+
|
||||
+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
|
||||
+
|
||||
function getPathSegments(path) {
|
||||
const pathArr = path.split('.');
|
||||
const parts = [];
|
||||
@@ -16,6 +24,10 @@ function getPathSegments(path) {
|
||||
parts.push(p);
|
||||
}
|
||||
|
||||
+ if (!isValidPath(parts)) {
|
||||
+ return [];
|
||||
+ }
|
||||
+
|
||||
return parts;
|
||||
}
|
||||
|
||||
@@ -26,6 +38,9 @@ module.exports = {
|
||||
}
|
||||
|
||||
const pathArr = getPathSegments(path);
|
||||
+ if (pathArr.length === 0) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
for (let i = 0; i < pathArr.length; i++) {
|
||||
if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
|
||||
@@ -58,6 +73,9 @@ module.exports = {
|
||||
|
||||
const root = obj;
|
||||
const pathArr = getPathSegments(path);
|
||||
+ if (pathArr.length === 0) {
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
for (let i = 0; i < pathArr.length; i++) {
|
||||
const p = pathArr[i];
|
||||
diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
|
||||
index 40fefa3..93daf7d 100644
|
||||
--- a/deps/npm/node_modules/dot-prop/package.json
|
||||
+++ b/deps/npm/node_modules/dot-prop/package.json
|
||||
@@ -37,9 +37,9 @@
|
||||
"deprecated": false,
|
||||
"description": "Get, set, or delete a property from a nested object using a dot path",
|
||||
"devDependencies": {
|
||||
- "ava": "*",
|
||||
+ "ava": "1.4.1",
|
||||
"matcha": "^0.7.0",
|
||||
- "xo": "*"
|
||||
+ "xo": "0.24.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=4"
|
||||
@@ -73,7 +73,7 @@
|
||||
"bench": "matcha bench.js",
|
||||
"test": "xo && ava"
|
||||
},
|
||||
- "version": "4.2.0",
|
||||
+ "version": "4.2.1",
|
||||
"xo": {
|
||||
"esnext": true
|
||||
}
|
||||
diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
|
||||
index fab3b7a..0e18f78 100644
|
||||
--- a/deps/npm/node_modules/dot-prop/readme.md
|
||||
+++ b/deps/npm/node_modules/dot-prop/readme.md
|
||||
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
|
||||
|
||||
Use `\\.` if you have a `.` in the key.
|
||||
|
||||
+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
|
||||
+
|
||||
#### value
|
||||
|
||||
Type: `any`
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,99 @@
|
||||
From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
|
||||
From: isaacs <i@izs.me>
|
||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
||||
2 files changed, 53 insertions(+)
|
||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
||||
|
||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
||||
index 590195d..0401258 100644
|
||||
--- a/deps/npm/node_modules/ini/ini.js
|
||||
+++ b/deps/npm/node_modules/ini/ini.js
|
||||
@@ -80,6 +80,12 @@ function decode (str) {
|
||||
if (!match) return
|
||||
if (match[1] !== undefined) {
|
||||
section = unsafe(match[1])
|
||||
+ if (section === '__proto__') {
|
||||
+ // not allowed
|
||||
+ // keep parsing the section, but don't attach it.
|
||||
+ p = {}
|
||||
+ return
|
||||
+ }
|
||||
p = out[section] = out[section] || {}
|
||||
return
|
||||
}
|
||||
@@ -94,6 +100,7 @@ function decode (str) {
|
||||
// Convert keys with '[]' suffix to an array
|
||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
||||
key = key.substring(0, key.length - 2)
|
||||
+ if (key === '__proto__') return
|
||||
if (!p[key]) {
|
||||
p[key] = []
|
||||
} else if (!Array.isArray(p[key])) {
|
||||
@@ -125,6 +132,7 @@ function decode (str) {
|
||||
var l = parts.pop()
|
||||
var nl = l.replace(/\\\./g, '.')
|
||||
parts.forEach(function (part, _, __) {
|
||||
+ if (part === '__proto__') return
|
||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
||||
p = p[part]
|
||||
})
|
||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
||||
new file mode 100644
|
||||
index 0000000..ab35533
|
||||
--- /dev/null
|
||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
||||
@@ -0,0 +1,45 @@
|
||||
+var ini = require('../')
|
||||
+var t = require('tap')
|
||||
+
|
||||
+var data = `
|
||||
+__proto__ = quux
|
||||
+foo = baz
|
||||
+[__proto__]
|
||||
+foo = bar
|
||||
+[other]
|
||||
+foo = asdf
|
||||
+[kid.__proto__.foo]
|
||||
+foo = kid
|
||||
+[arrproto]
|
||||
+hello = snyk
|
||||
+__proto__[] = you did a good job
|
||||
+__proto__[] = so you deserve arrays
|
||||
+thanks = true
|
||||
+`
|
||||
+var res = ini.parse(data)
|
||||
+t.deepEqual(res, {
|
||||
+ foo: 'baz',
|
||||
+ other: {
|
||||
+ foo: 'asdf',
|
||||
+ },
|
||||
+ kid: {
|
||||
+ foo: {
|
||||
+ foo: 'kid',
|
||||
+ },
|
||||
+ },
|
||||
+ arrproto: {
|
||||
+ hello: 'snyk',
|
||||
+ thanks: true,
|
||||
+ },
|
||||
+})
|
||||
+t.equal(res.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
||||
+t.equal(Object.prototype.foo, undefined)
|
||||
+t.equal(Object.prototype[0], undefined)
|
||||
+t.equal(Object.prototype['0'], undefined)
|
||||
+t.equal(Object.prototype[1], undefined)
|
||||
+t.equal(Object.prototype['1'], undefined)
|
||||
+t.equal(Array.prototype[0], undefined)
|
||||
+t.equal(Array.prototype[1], undefined)
|
||||
--
|
||||
2.29.2
|
||||
|
@ -24,7 +24,7 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 10
|
||||
%global nodejs_minor 22
|
||||
%global nodejs_minor 23
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
@ -57,7 +57,7 @@
|
||||
# http-parser - from deps/http_parser/http_parser.h
|
||||
%global http_parser_major 2
|
||||
%global http_parser_minor 9
|
||||
%global http_parser_patch 3
|
||||
%global http_parser_patch 4
|
||||
%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
@ -94,7 +94,7 @@
|
||||
%global npm_epoch 1
|
||||
%global npm_major 6
|
||||
%global npm_minor 14
|
||||
%global npm_patch 6
|
||||
%global npm_patch 10
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
@ -103,7 +103,7 @@
|
||||
# base npm version number is increasing.
|
||||
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
|
||||
|
||||
# brotli - from deps/brotli/common/version.h
|
||||
# brotli - from deps/brotli/c/common/version.h
|
||||
# v10.x doesn't have --shared-brotli configure option, so we have to bundle it
|
||||
%global brotli_major 1
|
||||
%global brotli_minor 0
|
||||
@ -146,8 +146,11 @@ Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch
|
||||
# https://github.com/nodejs/node/pull/30825
|
||||
Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
|
||||
|
||||
# CVE-2020-8116
|
||||
Patch4: 0004-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
|
||||
# CVE-2020-7774
|
||||
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
|
||||
|
||||
# CVE-2020-7788
|
||||
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
|
||||
|
||||
BuildRequires: python2-devel
|
||||
BuildRequires: python3-devel
|
||||
@ -622,6 +625,15 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
||||
- January Security release
|
||||
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
||||
- Rebase to 10.23.1
|
||||
- Resolves: RHBZ#1916461, RHBZ#1914789
|
||||
- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
|
||||
- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
|
||||
- Remove dot-prop patch, as it is fixed by npm rebase
|
||||
|
||||
* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
|
||||
- Security rebase to 10.22.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user