import nodejs-12.21.0-1.module+el8.3.0+10191+34fb5a07

This commit is contained in:
CentOS Sources 2021-03-04 10:19:12 -05:00 committed by Andrew Lukoshko
parent 8ea90a1f4e
commit 75701e8b68
5 changed files with 85 additions and 113 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-67_1-src.tgz
SOURCES/node-v12.20.1-stripped.tar.gz
SOURCES/node-v12.21.0-stripped.tar.gz

View File

@ -1,2 +1,2 @@
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz
a169a24b69f9ad0ad75f38d1857a8411017843bd SOURCES/node-v12.21.0-stripped.tar.gz

View File

@ -0,0 +1,70 @@
From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001
From: Daniel Bevenius <daniel.bevenius@gmail.com>
Date: Tue, 2 Jun 2020 05:33:25 +0200
Subject: [PATCH 3/3] src: use getauxval in node_main.cc
This commit suggests using getauxval in node_main.cc.
The motivation for this is that getauxval was introduced in glibc 2.16
and looking at BUILDING.md, in the 'Platform list' section, it looks
like we now support glibc >= 2.17 and perhaps this change would be
alright now.
PR-URL: https://github.com/nodejs/node/pull/33693
Refs: https://github.com/nodejs/node/pull/12548
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
src/node_main.cc | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/src/node_main.cc b/src/node_main.cc
index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644
--- a/src/node_main.cc
+++ b/src/node_main.cc
@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) {
return node::Start(argc, argv);
}
#else
// UNIX
#ifdef __linux__
-#include <elf.h>
-#ifdef __LP64__
-#define Elf_auxv_t Elf64_auxv_t
-#else
-#define Elf_auxv_t Elf32_auxv_t
-#endif // __LP64__
-extern char** environ;
+#include <sys/auxv.h>
#endif // __linux__
#if defined(__POSIX__) && defined(NODE_SHARED_MODE)
#include <string.h>
#include <signal.h>
#endif
@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) {
sigaction(SIGPIPE, &act, nullptr);
}
#endif
#if defined(__linux__)
- char** envp = environ;
- while (*envp++ != nullptr) {}
- Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
- for (; auxv->a_type != AT_NULL; auxv++) {
- if (auxv->a_type == AT_SECURE) {
- node::per_process::linux_at_secure = auxv->a_un.a_val;
- break;
- }
- }
+ node::per_process::linux_at_secure = getauxval(AT_SECURE);
#endif
// Disable stdio buffering, it interacts poorly with printf()
// calls elsewhere in the program (e.g., any logging from V8.)
setvbuf(stdout, nullptr, _IONBF, 0);
setvbuf(stderr, nullptr, _IONBF, 0);
--
2.30.1

View File

@ -1,99 +0,0 @@
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 8 Dec 2020 14:21:50 -0800
Subject: [PATCH] do not allow invalid hazardous string as section name
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/ini/ini.js | 8 +++++
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 deps/npm/node_modules/ini/test/proto.js
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
+ if (section === '__proto__') {
+ // not allowed
+ // keep parsing the section, but don't attach it.
+ p = {}
+ return
+ }
p = out[section] = out[section] || {}
return
}
@@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
+ if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
+ if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
new file mode 100644
index 0000000..ab35533
--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+ foo: 'baz',
+ other: {
+ foo: 'asdf',
+ },
+ kid: {
+ foo: {
+ foo: 'kid',
+ },
+ },
+ arrproto: {
+ hello: 'snyk',
+ thanks: true,
+ },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
--
2.29.2

View File

@ -29,8 +29,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 12
%global nodejs_minor 20
%global nodejs_patch 1
%global nodejs_minor 21
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -106,7 +106,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 10
%global npm_patch 11
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@ -167,12 +167,13 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif
# Upstream patch to use getauxval
Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
# CVE-2020-7774
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
# CVE-2020-7788
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
BuildRequires: make
BuildRequires: python2-devel
BuildRequires: python3-devel
BuildRequires: zlib-devel
@ -454,7 +455,6 @@ export LDFLAGS="%{build_ldflags}"
# --shared-brotli \
# --without-dtrace \
# --with-intl=small-icu \
# --debug-nghttp2 \
# --openssl-use-def-ca-store
#%else
#./configure --prefix=%{_prefix} \
@ -464,7 +464,6 @@ export LDFLAGS="%{build_ldflags}"
# --shared-zlib \
# --shared-brotli \
# --shared-libuv \
# --shared-nghttp2 \
# --with-dtrace \
# --with-intl=%{icu_flag} \
# --with-icu-default-data-dir=%{icudatadir} \
@ -481,7 +480,6 @@ export LDFLAGS="%{build_ldflags}"
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
./configure --prefix=%{_prefix} \
@ -493,7 +491,6 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \
--with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \
--debug-nghttp2 \
--openssl-use-def-ca-store
%endif
@ -505,7 +502,6 @@ export LDFLAGS="%{build_ldflags}"
--shared-zlib \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
./configure --prefix=%{_prefix} \
@ -516,7 +512,6 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \
--with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \
--debug-nghttp2 \
--openssl-use-def-ca-store
%endif
@ -870,6 +865,12 @@ end
%changelog
* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
- Resolves: RHBZ#1932315, RHBZ#1932424
- remove --debug-nghttp2 option
- remove ini patch
- Backport patch to use getauxval
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
- Security rebase for January security release
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/