import nodejs-12.21.0-1.module+el8.3.0+10191+34fb5a07

2021-03-04 10:19:12 -05:00 · 2021-03-04 10:19:12 -05:00 · 75701e8b68
parent 8ea90a1f4e
commit 75701e8b68
5 changed files with 85 additions and 113 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.20.1-stripped.tar.gz
+SOURCES/node-v12.21.0-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz
+a169a24b69f9ad0ad75f38d1857a8411017843bd SOURCES/node-v12.21.0-stripped.tar.gz
--- a/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch
+++ b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch
@ -0,0 +1,70 @@
+From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Tue, 2 Jun 2020 05:33:25 +0200
+Subject: [PATCH 3/3] src: use getauxval in node_main.cc
+
+This commit suggests using getauxval in node_main.cc.
+
+The motivation for this is that getauxval was introduced in glibc 2.16
+and looking at BUILDING.md, in the 'Platform list' section, it looks
+like we now support glibc >= 2.17 and perhaps this change would be
+alright now.
+
+PR-URL: https://github.com/nodejs/node/pull/33693
+Refs: https://github.com/nodejs/node/pull/12548
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: David Carlier <devnexen@gmail.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+---
+ src/node_main.cc | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/src/node_main.cc b/src/node_main.cc
+index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644
+--- a/src/node_main.cc
+++ b/src/node_main.cc
+@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) {
+   return node::Start(argc, argv);
+ }
+ #else
+ // UNIX
+ #ifdef __linux__
+-#include <elf.h>
+-#ifdef __LP64__
+-#define Elf_auxv_t Elf64_auxv_t
+-#else
+-#define Elf_auxv_t Elf32_auxv_t
+-#endif  // __LP64__
+-extern char** environ;
+#include <sys/auxv.h>
+ #endif  // __linux__
+ #if defined(__POSIX__) && defined(NODE_SHARED_MODE)
+ #include <string.h>
+ #include <signal.h>
+ #endif
+@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) {
+     sigaction(SIGPIPE, &act, nullptr);
+   }
+ #endif
+ 
+ #if defined(__linux__)
+-  char** envp = environ;
+-  while (*envp++ != nullptr) {}
+-  Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
+-  for (; auxv->a_type != AT_NULL; auxv++) {
+-    if (auxv->a_type == AT_SECURE) {
+-      node::per_process::linux_at_secure = auxv->a_un.a_val;
+-      break;
+-    }
+-  }
+  node::per_process::linux_at_secure = getauxval(AT_SECURE);
+ #endif
+   // Disable stdio buffering, it interacts poorly with printf()
+   // calls elsewhere in the program (e.g., any logging from V8.)
+   setvbuf(stdout, nullptr, _IONBF, 0);
+   setvbuf(stderr, nullptr, _IONBF, 0);
+-- 
+2.30.1
+
--- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -1,99 +0,0 @@
-From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
-From: isaacs <i@izs.me>
-Date: Tue, 8 Dec 2020 14:21:50 -0800
-Subject: [PATCH] do not allow invalid hazardous string as section name
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/ini/ini.js        |  8 +++++
- deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 deps/npm/node_modules/ini/test/proto.js
-
-diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
-index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
-+++ b/deps/npm/node_modules/ini/ini.js
-@@ -80,6 +80,12 @@ function decode (str) {
-     if (!match) return
-     if (match[1] !== undefined) {
-       section = unsafe(match[1])
-+      if (section === '__proto__') {
-+        // not allowed
-+        // keep parsing the section, but don't attach it.
-+        p = {}
-+        return
-+      }
-       p = out[section] = out[section] || {}
-       return
-     }
-@@ -94,6 +100,7 @@ function decode (str) {
-     // Convert keys with '[]' suffix to an array
-     if (key.length > 2 && key.slice(-2) === '[]') {
-       key = key.substring(0, key.length - 2)
-+      if (key === '__proto__') return
-       if (!p[key]) {
-         p[key] = []
-       } else if (!Array.isArray(p[key])) {
-@@ -125,6 +132,7 @@ function decode (str) {
-     var l = parts.pop()
-     var nl = l.replace(/\\\./g, '.')
-     parts.forEach(function (part, _, __) {
-+      if (part === '__proto__') return
-       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
-       p = p[part]
-     })
-diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
-new file mode 100644
-index 0000000..ab35533
--- /dev/null
-+++ b/deps/npm/node_modules/ini/test/proto.js
-@@ -0,0 +1,45 @@
-+var ini = require('../')
-+var t = require('tap')
-+
-+var data = `
-+__proto__ = quux
-+foo = baz
-+[__proto__]
-+foo = bar
-+[other]
-+foo = asdf
-+[kid.__proto__.foo]
-+foo = kid
-+[arrproto]
-+hello = snyk
-+__proto__[] = you did a good job
-+__proto__[] = so you deserve arrays
-+thanks = true
-+`
-+var res = ini.parse(data)
-+t.deepEqual(res, {
-+  foo: 'baz',
-+  other: {
-+    foo: 'asdf',
-+  },
-+  kid: {
-+    foo: {
-+      foo: 'kid',
-+    },
-+  },
-+  arrproto: {
-+    hello: 'snyk',
-+    thanks: true,
-+  },
-+})
-+t.equal(res.__proto__, Object.prototype)
-+t.equal(res.kid.__proto__, Object.prototype)
-+t.equal(res.kid.foo.__proto__, Object.prototype)
-+t.equal(res.arrproto.__proto__, Object.prototype)
-+t.equal(Object.prototype.foo, undefined)
-+t.equal(Object.prototype[0], undefined)
-+t.equal(Object.prototype['0'], undefined)
-+t.equal(Object.prototype[1], undefined)
-+t.equal(Object.prototype['1'], undefined)
-+t.equal(Array.prototype[0], undefined)
-+t.equal(Array.prototype[1], undefined)
--
-2.29.2
-
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 20
-%global nodejs_patch 1
+%global nodejs_minor 21
+%global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 10
+%global npm_patch 11
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -167,12 +167,13 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif

+# Upstream patch to use getauxval
+Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
+
 # CVE-2020-7774
 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

-# CVE-2020-7788
-Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
-
+BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -454,7 +455,6 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-brotli \
 #           --without-dtrace \
 #           --with-intl=small-icu \
-#           --debug-nghttp2 \
 #           --openssl-use-def-ca-store
 #%else
 #./configure --prefix=%{_prefix} \
@ -464,7 +464,6 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-zlib \
 #           --shared-brotli \
 #           --shared-libuv \
-#           --shared-nghttp2 \
 #           --with-dtrace \
 #           --with-intl=%{icu_flag} \
 #           --with-icu-default-data-dir=%{icudatadir} \
@ -481,7 +480,6 @@ export LDFLAGS="%{build_ldflags}"
           --shared-brotli \
           --without-dtrace \
           --with-intl=small-icu \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
@ -493,7 +491,6 @@ export LDFLAGS="%{build_ldflags}"
           --with-dtrace \
           --with-intl=%{icu_flag} \
           --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %endif

@ -505,7 +502,6 @@ export LDFLAGS="%{build_ldflags}"
           --shared-zlib \
           --without-dtrace \
           --with-intl=small-icu \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
@ -516,7 +512,6 @@ export LDFLAGS="%{build_ldflags}"
           --with-dtrace \
           --with-intl=%{icu_flag} \
           --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
           --openssl-use-def-ca-store
 %endif

@ -870,6 +865,12 @@ end


 %changelog
+* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
+- Resolves: RHBZ#1932315, RHBZ#1932424
+- remove --debug-nghttp2 option
+- remove ini patch
+- Backport patch to use getauxval
+
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/