Rebase to 16.19.1
This commit is contained in:
		
							parent
							
								
									4fcc46e74b
								
							
						
					
					
						commit
						777e281b39
					
				
							
								
								
									
										47
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										47
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -1,12 +1,41 @@ | ||||
| SOURCES/cjs-module-lexer-1.2.2.tar.gz | ||||
| SOURCES/icu4c-71_1-src.tgz | ||||
| SOURCES/node-v16.18.1-stripped.tar.gz | ||||
| SOURCES/undici-5.10.0.tar.gz | ||||
| SOURCES/wasi-sdk-wasi-sdk-11.tar.gz | ||||
| SOURCES/wasi-sdk-wasi-sdk-14.tar.gz | ||||
| /cjs-module-lexer-1.2.2.tar.gz | ||||
| /node-v10.7.0-stripped.tar.gz | ||||
| /node-v10.11.0-stripped.tar.gz | ||||
| /node-v10.14.1-stripped.tar.gz | ||||
| /node-v12.4.0-stripped.tar.gz | ||||
| /node-v12.13.1-stripped.tar.gz | ||||
| /node-v12.14.1-stripped.tar.gz | ||||
| /node-v12.16.1-stripped.tar.gz | ||||
| /node-v14.2.0-stripped.tar.gz | ||||
| /icu4c-66_1-src.tgz | ||||
| /node-v14.3.0-stripped.tar.gz | ||||
| /icu4c-67_1-src.tgz | ||||
| /node-v14.4.0-stripped.tar.gz | ||||
| /node-v14.11.0-stripped.tar.gz | ||||
| /node-v14.15.0-stripped.tar.gz | ||||
| /node-v14.15.4-stripped.tar.gz | ||||
| /node-v14.16.0-stripped.tar.gz | ||||
| /node-v16.1.0-stripped.tar.gz | ||||
| /icu4c-69_1-src.tgz | ||||
| /node-v16.4.2-stripped.tar.gz | ||||
| /node-v16.6.2-stripped.tar.gz | ||||
| /node-v16.7.0-stripped.tar.gz | ||||
| /node-v16.8.0-stripped.tar.gz | ||||
| /node-v16.13.1-stripped.tar.gz | ||||
| /node-v16.14.0-stripped.tar.gz | ||||
| /icu4c-70_1-src.tgz | ||||
| /node-v16.16.0-stripped.tar.gz | ||||
| /node-v16.17.1-stripped.tar.gz | ||||
| /icu4c-71_1-src.tgz | ||||
| /node-v16.18.1-stripped.tar.gz | ||||
| /undici-5.10.0.tar.gz | ||||
| /cjs-module-lexer-1.2.2.tar.gz | ||||
| /undici-5.8.0.tar.gz | ||||
| /wasi-sdk-11.0-linux.tar.gz | ||||
| /wasi-sdk-14.0-linux.tar.gz | ||||
| /wasi-sdk-11.tar.gz | ||||
| /wasi-sdk-14.tar.gz | ||||
| /wasi-sdk-wasi-sdk-11.tar.gz | ||||
| /wasi-sdk-wasi-sdk-14.tar.gz | ||||
| /node-v16.18.1-stripped.tar.gz | ||||
| /undici-5.9.1.tar.gz | ||||
| /undici-5.10.0.tar.gz | ||||
| /node-v16.19.1-stripped.tar.gz | ||||
| /undici-5.19.1.tar.gz | ||||
|  | ||||
| @ -0,0 +1,45 @@ | ||||
| From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001 | ||||
| From: Kornel <kornel@geekhood.net> | ||||
| Date: Fri, 27 Jan 2023 01:20:38 +0000 | ||||
| Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim | ||||
|  whitespace | ||||
| 
 | ||||
| Signed-off-by: rpm-build <rpm-build> | ||||
| ---
 | ||||
|  deps/npm/node_modules/http-cache-semantics/index.js     | 6 +++--- | ||||
|  deps/npm/node_modules/http-cache-semantics/package.json | 2 +- | ||||
|  2 files changed, 4 insertions(+), 4 deletions(-) | ||||
| 
 | ||||
| diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js
 | ||||
| index 4f6c2f3..39d58a7 100644
 | ||||
| --- a/deps/npm/node_modules/http-cache-semantics/index.js
 | ||||
| +++ b/deps/npm/node_modules/http-cache-semantics/index.js
 | ||||
| @@ -79,10 +79,10 @@ function parseCacheControl(header) {
 | ||||
|   | ||||
|      // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives), | ||||
|      // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale | ||||
| -    const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
 | ||||
| +    const parts = header.trim().split(/,/);
 | ||||
|      for (const part of parts) { | ||||
| -        const [k, v] = part.split(/\s*=\s*/, 2);
 | ||||
| -        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
 | ||||
| +        const [k, v] = part.split(/=/, 2);
 | ||||
| +        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
 | ||||
|      } | ||||
|   | ||||
|      return cc; | ||||
| diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json
 | ||||
| index 897798d..79c020a 100644
 | ||||
| --- a/deps/npm/node_modules/http-cache-semantics/package.json
 | ||||
| +++ b/deps/npm/node_modules/http-cache-semantics/package.json
 | ||||
| @@ -1,6 +1,6 @@
 | ||||
|  { | ||||
|      "name": "http-cache-semantics", | ||||
| -    "version": "4.1.0",
 | ||||
| +    "version": "4.1.1",
 | ||||
|      "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies", | ||||
|      "repository": "https://github.com/kornelski/http-cache-semantics.git", | ||||
|      "main": "index.js", | ||||
| -- 
 | ||||
| 2.39.2 | ||||
| 
 | ||||
| @ -1,31 +0,0 @@ | ||||
| From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001 | ||||
| From: rpm-build <rpm-build> | ||||
| Date: Mon, 26 Sep 2022 16:02:39 +0200 | ||||
| Subject: [PATCH] install: keep installing dtrace and systemtap files | ||||
| 
 | ||||
| Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6. | ||||
| 
 | ||||
| Signed-off-by: rpm-build <rpm-build> | ||||
| ---
 | ||||
|  tools/install.py | 5 +++++ | ||||
|  1 file changed, 5 insertions(+) | ||||
| 
 | ||||
| diff --git a/tools/install.py b/tools/install.py
 | ||||
| index 4b01d67..dc16797 100755
 | ||||
| --- a/tools/install.py
 | ||||
| +++ b/tools/install.py
 | ||||
| @@ -178,6 +178,11 @@ def files(action):
 | ||||
|        output_lib = 'libnode.' + variables.get('shlib_suffix') | ||||
|        action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib) | ||||
|   | ||||
| +  if 'true' == variables.get('node_use_dtrace'):
 | ||||
| +    action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
 | ||||
| +
 | ||||
| +  action(['src/node.stp'], 'share/systemtap/tapset/')
 | ||||
| +
 | ||||
|    action(['deps/v8/tools/gdbinit'], 'share/doc/node/') | ||||
|    action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/') | ||||
|   | ||||
| -- 
 | ||||
| 2.37.3 | ||||
| 
 | ||||
| @ -0,0 +1,53 @@ | ||||
| From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001 | ||||
| From: hopper-vul <118949689+hopper-vul@users.noreply.github.com> | ||||
| Date: Wed, 18 Jan 2023 22:14:26 +0800 | ||||
| Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid | ||||
|  stack overflow (#497) | ||||
| 
 | ||||
| In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse | ||||
| the input str and initialize a sortlist configuration. | ||||
| 
 | ||||
| However, ares_set_sortlist has not any checks about the validity of the input str. | ||||
| It is very easy to create an arbitrary length stack overflow with the unchecked | ||||
| `memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);` | ||||
| statements in the config_sortlist call, which could potentially cause severe | ||||
| security impact in practical programs. | ||||
| 
 | ||||
| This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the | ||||
| potential stack overflows. | ||||
| 
 | ||||
| fixes #496 | ||||
| 
 | ||||
| Fix By: @hopper-vul | ||||
| Resolves: CVE-2022-4904 | ||||
| 
 | ||||
| Signed-off-by: rpm-build <rpm-build> | ||||
| ---
 | ||||
|  deps/cares/src/lib/ares_init.c | 4 ++++ | ||||
|  1 file changed, 4 insertions(+) | ||||
| 
 | ||||
| diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
 | ||||
| index de5d86c..d5858f6 100644
 | ||||
| --- a/deps/cares/src/lib/ares_init.c
 | ||||
| +++ b/deps/cares/src/lib/ares_init.c
 | ||||
| @@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
 | ||||
|        q = str; | ||||
|        while (*q && *q != '/' && *q != ';' && !ISSPACE(*q)) | ||||
|          q++; | ||||
| +      if (q-str >= 16)
 | ||||
| +        return ARES_EBADSTR;
 | ||||
|        memcpy(ipbuf, str, q-str); | ||||
|        ipbuf[q-str] = '\0'; | ||||
|        /* Find the prefix */ | ||||
| @@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
 | ||||
|            const char *str2 = q+1; | ||||
|            while (*q && *q != ';' && !ISSPACE(*q)) | ||||
|              q++; | ||||
| +          if (q-str >= 32)
 | ||||
| +            return ARES_EBADSTR;
 | ||||
|            memcpy(ipbufpfx, str, q-str); | ||||
|            ipbufpfx[q-str] = '\0'; | ||||
|            str = str2; | ||||
| -- 
 | ||||
| 2.39.2 | ||||
| 
 | ||||
							
								
								
									
										27
									
								
								nodejs.spec
									
									
									
									
									
								
							
							
						
						
									
										27
									
								
								nodejs.spec
									
									
									
									
									
								
							| @ -35,7 +35,7 @@ | ||||
| # This is used by both the nodejs package and the npm subpackage that | ||||
| # has a separate version - the name is special so that rpmdev-bumpspec | ||||
| # will bump this rather than adding .1 to the end. | ||||
| %global baserelease 3 | ||||
| %global baserelease 1 | ||||
| 
 | ||||
| %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} | ||||
| 
 | ||||
| @ -46,7 +46,7 @@ | ||||
| # than a Fedora release lifecycle. | ||||
| %global nodejs_epoch 1 | ||||
| %global nodejs_major 16 | ||||
| %global nodejs_minor 18 | ||||
| %global nodejs_minor 19 | ||||
| %global nodejs_patch 1 | ||||
| %global nodejs_abi %{nodejs_major}.%{nodejs_minor} | ||||
| # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h | ||||
| @ -140,7 +140,7 @@ | ||||
| %global npm_epoch 1 | ||||
| %global npm_major 8 | ||||
| %global npm_minor 19 | ||||
| %global npm_patch 2 | ||||
| %global npm_patch 3 | ||||
| %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} | ||||
| 
 | ||||
| # uvwasi - from deps/uvwasi/include/uvwasi.h | ||||
| @ -200,16 +200,19 @@ Source101: cjs-module-lexer-1.2.2.tar.gz | ||||
| Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz | ||||
| 
 | ||||
| # Version: jq '.version' deps/undici/src/package.json | ||||
| # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz | ||||
| # Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm* | ||||
| Source111: undici-5.10.0.tar.gz | ||||
| # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz | ||||
| # Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm* | ||||
| Source111: undici-5.19.1.tar.gz | ||||
| # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. | ||||
| # Version source: build/Dockerfile | ||||
| Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz | ||||
| 
 | ||||
| # Disable running gyp on bundled deps we don't use | ||||
| Patch1: 0001-Disable-running-gyp-on-shared-deps.patch | ||||
| Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch | ||||
| # CVE-2022-25881 | ||||
| Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch | ||||
| # CVE-2022-4904 | ||||
| Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch | ||||
| 
 | ||||
| BuildRequires: make | ||||
| BuildRequires: python3-devel | ||||
| @ -703,10 +706,12 @@ end | ||||
| %doc %{_mandir}/man1/npx.1* | ||||
| %doc %{_mandir}/man5/folders.5* | ||||
| %doc %{_mandir}/man5/install.5* | ||||
| %doc %{_mandir}/man5/npm-global.5* | ||||
| %doc %{_mandir}/man5/npm-json.5* | ||||
| %doc %{_mandir}/man5/npm-shrinkwrap-json.5* | ||||
| %doc %{_mandir}/man5/npmrc.5* | ||||
| %doc %{_mandir}/man5/package-json.5* | ||||
| %doc %{_mandir}/man5/package-lock-json.5* | ||||
| %doc %{_mandir}/man5/npm-shrinkwrap-json.5* | ||||
| %doc %{_mandir}/man7/config.7* | ||||
| %doc %{_mandir}/man7/dependency-selectors.7* | ||||
| %doc %{_mandir}/man7/developers.7* | ||||
| @ -728,6 +733,12 @@ end | ||||
| 
 | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-1 | ||||
| - Rebase to 16.19.1 | ||||
|   Resolves: rhbz#2153713 | ||||
|   Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920 | ||||
|   Resolves: CVE-2022-25881 CVE-2022-4904 | ||||
| 
 | ||||
| * Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3 | ||||
| - Update sources of undici WASM blobs | ||||
|   Resolves: rhbz#2151546 | ||||
|  | ||||
							
								
								
									
										6
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										6
									
								
								sources
									
									
									
									
									
								
							| @ -1,6 +1,6 @@ | ||||
| SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb | ||||
| SHA512 (node-v16.19.1-stripped.tar.gz) = e3aeeb26b34e2a2d429852969507566b78212d4128cc4516c9d6ef74f187c35124874ca5d2a2824f074030fcc727a311dce0d0757ab2b4bbb01a343d2697b2b7 | ||||
| SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912 | ||||
| SHA512 (node-v16.18.1-stripped.tar.gz) = 44102e9b1e2aabc9ebbf33f597b033d025e6b7c291a1901b2545cd82f1a65ef3046efc3ee0d17c8b71452f1e09a5343ae948bb802eef6bad00ab732442bbbd87 | ||||
| SHA512 (undici-5.10.0.tar.gz) = ce582986e367783eb8e7350e8e14237afb014793b81b94783d043d673624f9d615cb664c553e7334ed4d1d56ec31c08094ed3d8d8be28fcbdd5daabaae687ddd | ||||
| SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb | ||||
| SHA512 (undici-5.19.1.tar.gz) = 71ca06acac25e0ef4d44bf9e523b6068d6906ee5ed926befa224c312335f471d1f6c1eec10c0a275b1212c72fd6f8b13a3a47c3a1ca51777a062ad8ea7193a7e | ||||
| SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c | ||||
| SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user