Import rpm: 575c46a529df49f7509ebf00525c979ea2dbae67
This commit is contained in:
parent
006d4187d1
commit
7a93b7a5fb
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/icu4c-64_2-src.tgz
|
||||
SOURCES/node-v10.24.0-stripped.tar.gz
|
||||
SOURCES/node-v10.23.1-stripped.tar.gz
|
||||
|
@ -0,0 +1,99 @@
|
||||
From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
|
||||
From: isaacs <i@izs.me>
|
||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
||||
2 files changed, 53 insertions(+)
|
||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
||||
|
||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
||||
index 590195d..0401258 100644
|
||||
--- a/deps/npm/node_modules/ini/ini.js
|
||||
+++ b/deps/npm/node_modules/ini/ini.js
|
||||
@@ -80,6 +80,12 @@ function decode (str) {
|
||||
if (!match) return
|
||||
if (match[1] !== undefined) {
|
||||
section = unsafe(match[1])
|
||||
+ if (section === '__proto__') {
|
||||
+ // not allowed
|
||||
+ // keep parsing the section, but don't attach it.
|
||||
+ p = {}
|
||||
+ return
|
||||
+ }
|
||||
p = out[section] = out[section] || {}
|
||||
return
|
||||
}
|
||||
@@ -94,6 +100,7 @@ function decode (str) {
|
||||
// Convert keys with '[]' suffix to an array
|
||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
||||
key = key.substring(0, key.length - 2)
|
||||
+ if (key === '__proto__') return
|
||||
if (!p[key]) {
|
||||
p[key] = []
|
||||
} else if (!Array.isArray(p[key])) {
|
||||
@@ -125,6 +132,7 @@ function decode (str) {
|
||||
var l = parts.pop()
|
||||
var nl = l.replace(/\\\./g, '.')
|
||||
parts.forEach(function (part, _, __) {
|
||||
+ if (part === '__proto__') return
|
||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
||||
p = p[part]
|
||||
})
|
||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
||||
new file mode 100644
|
||||
index 0000000..ab35533
|
||||
--- /dev/null
|
||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
||||
@@ -0,0 +1,45 @@
|
||||
+var ini = require('../')
|
||||
+var t = require('tap')
|
||||
+
|
||||
+var data = `
|
||||
+__proto__ = quux
|
||||
+foo = baz
|
||||
+[__proto__]
|
||||
+foo = bar
|
||||
+[other]
|
||||
+foo = asdf
|
||||
+[kid.__proto__.foo]
|
||||
+foo = kid
|
||||
+[arrproto]
|
||||
+hello = snyk
|
||||
+__proto__[] = you did a good job
|
||||
+__proto__[] = so you deserve arrays
|
||||
+thanks = true
|
||||
+`
|
||||
+var res = ini.parse(data)
|
||||
+t.deepEqual(res, {
|
||||
+ foo: 'baz',
|
||||
+ other: {
|
||||
+ foo: 'asdf',
|
||||
+ },
|
||||
+ kid: {
|
||||
+ foo: {
|
||||
+ foo: 'kid',
|
||||
+ },
|
||||
+ },
|
||||
+ arrproto: {
|
||||
+ hello: 'snyk',
|
||||
+ thanks: true,
|
||||
+ },
|
||||
+})
|
||||
+t.equal(res.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.__proto__, Object.prototype)
|
||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
||||
+t.equal(Object.prototype.foo, undefined)
|
||||
+t.equal(Object.prototype[0], undefined)
|
||||
+t.equal(Object.prototype['0'], undefined)
|
||||
+t.equal(Object.prototype[1], undefined)
|
||||
+t.equal(Object.prototype['1'], undefined)
|
||||
+t.equal(Array.prototype[0], undefined)
|
||||
+t.equal(Array.prototype[1], undefined)
|
||||
--
|
||||
2.29.2
|
||||
|
18
nodejs.spec
18
nodejs.spec
@ -24,8 +24,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 10
|
||||
%global nodejs_minor 24
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_minor 23
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 64
|
||||
@ -94,7 +94,7 @@
|
||||
%global npm_epoch 1
|
||||
%global npm_major 6
|
||||
%global npm_minor 14
|
||||
%global npm_patch 11
|
||||
%global npm_patch 10
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
@ -149,7 +149,9 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
|
||||
# CVE-2020-7774
|
||||
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
|
||||
|
||||
BuildRequires: make
|
||||
# CVE-2020-7788
|
||||
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
|
||||
|
||||
BuildRequires: python2-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -367,6 +369,7 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--shared-zlib \
|
||||
--without-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
%else
|
||||
./configure --prefix=%{_prefix} \
|
||||
@ -378,6 +381,7 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--with-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--with-icu-default-data-dir=%{icudatadir} \
|
||||
--debug-nghttp2 \
|
||||
--openssl-use-def-ca-store
|
||||
%endif
|
||||
|
||||
@ -621,12 +625,6 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
|
||||
- Resolves: RHBZ#1932373, RHBZ#1932426
|
||||
- Resolves CVE-2021-22883 and CVE-2021-22884
|
||||
- remove -debug-nghttp2 flag (1930775)
|
||||
- remove ini patch merged upstream
|
||||
|
||||
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
||||
- January Security release
|
||||
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
||||
|
Loading…
Reference in New Issue
Block a user