diff --git a/.gitignore b/.gitignore index 3f9ed36..3f413b5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.20.1-stripped.tar.gz +SOURCES/node-v12.21.0-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 45b7698..5527eb9 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz +a169a24b69f9ad0ad75f38d1857a8411017843bd SOURCES/node-v12.21.0-stripped.tar.gz diff --git a/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch new file mode 100644 index 0000000..2ecf682 --- /dev/null +++ b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch @@ -0,0 +1,70 @@ +From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001 +From: Daniel Bevenius +Date: Tue, 2 Jun 2020 05:33:25 +0200 +Subject: [PATCH 3/3] src: use getauxval in node_main.cc + +This commit suggests using getauxval in node_main.cc. + +The motivation for this is that getauxval was introduced in glibc 2.16 +and looking at BUILDING.md, in the 'Platform list' section, it looks +like we now support glibc >= 2.17 and perhaps this change would be +alright now. + +PR-URL: https://github.com/nodejs/node/pull/33693 +Refs: https://github.com/nodejs/node/pull/12548 +Reviewed-By: Ben Noordhuis +Reviewed-By: David Carlier +Reviewed-By: Anna Henningsen +Reviewed-By: Colin Ihrig +Reviewed-By: James M Snell +--- + src/node_main.cc | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/src/node_main.cc b/src/node_main.cc +index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644 +--- a/src/node_main.cc ++++ b/src/node_main.cc +@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) { + return node::Start(argc, argv); + } + #else + // UNIX + #ifdef __linux__ +-#include +-#ifdef __LP64__ +-#define Elf_auxv_t Elf64_auxv_t +-#else +-#define Elf_auxv_t Elf32_auxv_t +-#endif // __LP64__ +-extern char** environ; ++#include + #endif // __linux__ + #if defined(__POSIX__) && defined(NODE_SHARED_MODE) + #include + #include + #endif +@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) { + sigaction(SIGPIPE, &act, nullptr); + } + #endif + + #if defined(__linux__) +- char** envp = environ; +- while (*envp++ != nullptr) {} +- Elf_auxv_t* auxv = reinterpret_cast(envp); +- for (; auxv->a_type != AT_NULL; auxv++) { +- if (auxv->a_type == AT_SECURE) { +- node::per_process::linux_at_secure = auxv->a_un.a_val; +- break; +- } +- } ++ node::per_process::linux_at_secure = getauxval(AT_SECURE); + #endif + // Disable stdio buffering, it interacts poorly with printf() + // calls elsewhere in the program (e.g., any logging from V8.) + setvbuf(stdout, nullptr, _IONBF, 0); + setvbuf(stderr, nullptr, _IONBF, 0); +-- +2.30.1 + diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch deleted file mode 100644 index c2b1f3e..0000000 --- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/ini/ini.js | 8 +++++ - deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 deps/npm/node_modules/ini/test/proto.js - -diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/deps/npm/node_modules/ini/ini.js -+++ b/deps/npm/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/deps/npm/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.29.2 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index fc6939a..0eb52c7 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,8 +29,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 20 -%global nodejs_patch 1 +%global nodejs_minor 21 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -106,7 +106,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 10 +%global npm_patch 11 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -167,12 +167,13 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif +# Upstream patch to use getauxval +Patch3: 0003-src-use-getauxval-in-node_main.cc.patch + # CVE-2020-7774 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch -# CVE-2020-7788 -Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch - +BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -454,7 +455,6 @@ export LDFLAGS="%{build_ldflags}" # --shared-brotli \ # --without-dtrace \ # --with-intl=small-icu \ -# --debug-nghttp2 \ # --openssl-use-def-ca-store #%else #./configure --prefix=%{_prefix} \ @@ -464,7 +464,6 @@ export LDFLAGS="%{build_ldflags}" # --shared-zlib \ # --shared-brotli \ # --shared-libuv \ -# --shared-nghttp2 \ # --with-dtrace \ # --with-intl=%{icu_flag} \ # --with-icu-default-data-dir=%{icudatadir} \ @@ -481,7 +480,6 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ @@ -493,7 +491,6 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ --openssl-use-def-ca-store %endif @@ -505,7 +502,6 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ @@ -516,7 +512,6 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ --openssl-use-def-ca-store %endif @@ -870,6 +865,12 @@ end %changelog +* Tue Mar 02 2021 Zuzana Svetlikova - 1:12.21.0-1 +- Resolves: RHBZ#1932315, RHBZ#1932424 +- remove --debug-nghttp2 option +- remove ini patch +- Backport patch to use getauxval + * Mon Jan 18 2021 Zuzana Svetlikova - 1:12.20.1-1 - Security rebase for January security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/