From 6ff3d842a89c5289e560a2257b614ee66a3b45a9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 May 2023 11:27:16 +0000 Subject: [PATCH] import nodejs-16.19.1-1.el9_2 --- .gitignore | 4 +- .nodejs.metadata | 4 +- ...1-Disable-running-gyp-on-shared-deps.patch | 17 +++--- ...semantics-Don-t-use-regex-to-trim-wh.patch | 45 ++++++++++++++++ ...nstalling-dtrace-and-systemtap-files.patch | 31 ----------- ...tr-len-check-in-config_sortlist-to-a.patch | 53 +++++++++++++++++++ SPECS/nodejs.spec | 35 +++++++----- 7 files changed, 135 insertions(+), 54 deletions(-) create mode 100644 SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch delete mode 100644 SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch create mode 100644 SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch diff --git a/.gitignore b/.gitignore index a6e94a4..932e368 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-71_1-src.tgz -SOURCES/node-v16.18.1-stripped.tar.gz -SOURCES/undici-5.10.0.tar.gz +SOURCES/node-v16.19.1-stripped.tar.gz +SOURCES/undici-5.19.1.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 6d890b2..1a06563 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz -71f2019e8d646be20ec962859e6a356b13663313 SOURCES/node-v16.18.1-stripped.tar.gz -a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz +b841e32cfbbb8147f84ab25feb5e7a82f8fa1065 SOURCES/node-v16.19.1-stripped.tar.gz +4ba08daec56f2571fc8af493b3a2628d290f9390 SOURCES/undici-5.19.1.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 48202ba..fc528b5 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,18 +1,19 @@ -From 61fd3e74ff223cd59476ef8a69880c57e3312af7 Mon Sep 17 00:00:00 2001 +From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH] Disable running gyp on shared deps +Subject: [PATCH 1/2] Disable running gyp on shared deps -Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index dc6f08b..c865e72 100644 +index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 --- a/Makefile +++ b/Makefile -@@ -147,7 +147,7 @@ with-code-cache test-code-cache: +@@ -136,11 +136,11 @@ endif + .PHONY: test-code-cache + with-code-cache test-code-cache: $(warning '$@' target is a noop) out/Makefile: config.gypi common.gypi node.gyp \ @@ -21,6 +22,8 @@ index dc6f08b..c865e72 100644 tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make --- -2.37.3 + + # node_version.h is listed because the N-API version is taken from there +-- +2.29.2 diff --git a/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch new file mode 100644 index 0000000..278ba06 --- /dev/null +++ b/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch @@ -0,0 +1,45 @@ +From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001 +From: Kornel +Date: Fri, 27 Jan 2023 01:20:38 +0000 +Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim + whitespace + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/http-cache-semantics/index.js | 6 +++--- + deps/npm/node_modules/http-cache-semantics/package.json | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js +index 4f6c2f3..39d58a7 100644 +--- a/deps/npm/node_modules/http-cache-semantics/index.js ++++ b/deps/npm/node_modules/http-cache-semantics/index.js +@@ -79,10 +79,10 @@ function parseCacheControl(header) { + + // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), + // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale +- const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing ++ const parts = header.trim().split(/,/); + for (const part of parts) { +- const [k, v] = part.split(/\s*=\s*/, 2); +- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting ++ const [k, v] = part.split(/=/, 2); ++ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, ''); + } + + return cc; +diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json +index 897798d..79c020a 100644 +--- a/deps/npm/node_modules/http-cache-semantics/package.json ++++ b/deps/npm/node_modules/http-cache-semantics/package.json +@@ -1,6 +1,6 @@ + { + "name": "http-cache-semantics", +- "version": "4.1.0", ++ "version": "4.1.1", + "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies", + "repository": "https://github.com/kornelski/http-cache-semantics.git", + "main": "index.js", +-- +2.39.2 + diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch deleted file mode 100644 index f055d91..0000000 --- a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 26 Sep 2022 16:02:39 +0200 -Subject: [PATCH] install: keep installing dtrace and systemtap files - -Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6. - -Signed-off-by: rpm-build ---- - tools/install.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tools/install.py b/tools/install.py -index 4b01d67..dc16797 100755 ---- a/tools/install.py -+++ b/tools/install.py -@@ -178,6 +178,11 @@ def files(action): - output_lib = 'libnode.' + variables.get('shlib_suffix') - action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib) - -+ if 'true' == variables.get('node_use_dtrace'): -+ action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d') -+ -+ action(['src/node.stp'], 'share/systemtap/tapset/') -+ - action(['deps/v8/tools/gdbinit'], 'share/doc/node/') - action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/') - --- -2.37.3 - diff --git a/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch new file mode 100644 index 0000000..69763ba --- /dev/null +++ b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch @@ -0,0 +1,53 @@ +From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 +From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> +Date: Wed, 18 Jan 2023 22:14:26 +0800 +Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid + stack overflow (#497) + +In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse +the input str and initialize a sortlist configuration. + +However, ares_set_sortlist has not any checks about the validity of the input str. +It is very easy to create an arbitrary length stack overflow with the unchecked +`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` +statements in the config_sortlist call, which could potentially cause severe +security impact in practical programs. + +This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the +potential stack overflows. + +fixes #496 + +Fix By: @hopper-vul +Resolves: CVE-2022-4904 + +Signed-off-by: rpm-build +--- + deps/cares/src/lib/ares_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c +index de5d86c..d5858f6 100644 +--- a/deps/cares/src/lib/ares_init.c ++++ b/deps/cares/src/lib/ares_init.c +@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + q = str; + while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 16) ++ return ARES_EBADSTR; + memcpy(ipbuf, str, q-str); + ipbuf[q-str] = '\0'; + /* Find the prefix */ +@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort, + const char *str2 = q+1; + while (*q && *q != ';' && !ISSPACE(*q)) + q++; ++ if (q-str >= 32) ++ return ARES_EBADSTR; + memcpy(ipbufpfx, str, q-str); + ipbufpfx[q-str] = '\0'; + str = str2; +-- +2.39.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 51541db..ca7644b 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -30,7 +30,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -41,7 +41,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 18 +%global nodejs_minor 19 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -118,7 +118,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 8.19.2 +%global npm_version 8.19.3 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -170,16 +170,19 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz -# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm* -Source111: undici-5.10.0.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz +# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm* +Source111: undici-5.19.1.tar.gz # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. # Version source: build/Dockerfile Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch -Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch +# CVE-2022-25881 +Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch +# CVE-2022-4904 +Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch BuildRequires: make BuildRequires: python3-devel @@ -204,15 +207,15 @@ BuildRequires: systemtap-sdt-devel %if %{with bundled} Provides: bundled(libuv) = %{libuv_version} %else -BuildRequires: libuv-devel >= 1:%{libuv_version} -Requires: libuv-devel >= 1:%{libuv_version} +BuildRequires: libuv-devel >= 1:%{libuv_version} +Requires: libuv >= 1:%{libuv_version} %endif %if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9) Provides: bundled(nghttp2) = %{nghttp2_version} %else -BuildRequires: libnghttp2-devel >= %{nghttp2_version} -Requires: libnghttp2-devel >= %{nghttp2_version} +BuildRequires: libnghttp2-devel >= %{nghttp2_version} +Requires: libnghttp2 >= %{nghttp2_version} %endif # Temporarily bundle llhttp because the upstream doesn't @@ -694,10 +697,12 @@ end %doc %{_mandir}/man1/npx.1* %doc %{_mandir}/man5/folders.5* %doc %{_mandir}/man5/install.5* +%doc %{_mandir}/man5/npm-global.5* +%doc %{_mandir}/man5/npm-json.5* +%doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man5/npmrc.5* %doc %{_mandir}/man5/package-json.5* %doc %{_mandir}/man5/package-lock-json.5* -%doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* @@ -719,6 +724,12 @@ end %changelog +* Mon Mar 27 2023 Zuzana Svetlikova - 1:16.19.1-1 +- Rebase to 16.19.1 +- Resolves: rhbz#2153714 +- Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 +- Resolves: CVE-2022-25881 CVE-2022-4904 + * Wed Dec 07 2022 Jan Staněk - 1:16.18.1-3 - Update sources of undici WASM blobs Resolves: rhbz#2151617