From 707fa8b842d20f98740c86ca9500f3f5c0cb62f6 Mon Sep 17 00:00:00 2001 From: Honza Horak Date: Mon, 31 Jul 2023 14:32:10 +0200 Subject: [PATCH] FIPS related options cause a segfault, let's end sooner Upstream report: https://github.com/nodejs/node/pull/48950 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 This patch makes the part of the code that processes cmd-line options for FIPS to end sooner before the code gets to the problematic part of the code. --- nodejs-fips-disable-options.patch | 20 ++++++++++++++++++++ nodejs.spec | 7 ++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 nodejs-fips-disable-options.patch diff --git a/nodejs-fips-disable-options.patch b/nodejs-fips-disable-options.patch new file mode 100644 index 0000000..998fb91 --- /dev/null +++ b/nodejs-fips-disable-options.patch @@ -0,0 +1,20 @@ +FIPS related options cause a segfault, let's end sooner + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 + +This patch makes the part of the code that processes cmd-line options for +FIPS to end sooner before the code gets to the problematic part of the code. + +diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc +--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 ++++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 +@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) diff --git a/nodejs.spec b/nodejs.spec index c1bc216..98d88c5 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -29,7 +29,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -190,6 +190,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk- # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch3: nodejs-fips-disable-options.patch BuildRequires: make BuildRequires: python3-devel @@ -629,6 +630,10 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Mon Jul 31 2023 Honza Horak - 1:18.16.1-2 +- Fix segfault that happens when processing fips-related options + Resolves: BZ#2226726 + * Wed Jul 12 2023 Jan Staněk - 1:18.16.1-1 - Rebase to 18.16.1 Resolves: rhbz#2188292 rhbz#2187683