From 7a93b7a5fbc19e757ac4b526b9ea8bb94948b087 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 23 Feb 2023 13:02:24 -0500 Subject: [PATCH] Import rpm: 575c46a529df49f7509ebf00525c979ea2dbae67 --- .gitignore | 2 +- ...o-not-allow-invalid-hazardous-string.patch | 99 +++++++++++++++++++ nodejs.spec | 18 ++-- sources | 2 +- 4 files changed, 109 insertions(+), 12 deletions(-) create mode 100644 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch diff --git a/.gitignore b/.gitignore index eb6e49f..0898cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-64_2-src.tgz -SOURCES/node-v10.24.0-stripped.tar.gz +SOURCES/node-v10.23.1-stripped.tar.gz diff --git a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch new file mode 100644 index 0000000..b7270a0 --- /dev/null +++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch @@ -0,0 +1,99 @@ +From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/nodejs.spec b/nodejs.spec index 7021757..e0b85f4 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -24,8 +24,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 10 -%global nodejs_minor 24 -%global nodejs_patch 0 +%global nodejs_minor 23 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 64 @@ -94,7 +94,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 11 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # In order to avoid needing to keep incrementing the release version for the @@ -149,7 +149,9 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch # CVE-2020-7774 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch -BuildRequires: make +# CVE-2020-7788 +Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch + BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -367,6 +369,7 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ + --debug-nghttp2 \ --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ @@ -378,6 +381,7 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ + --debug-nghttp2 \ --openssl-use-def-ca-store %endif @@ -621,12 +625,6 @@ end %changelog -* Wed Feb 24 2021 Zuzana Svetlikova - 1:10.24.0-1 -- Resolves: RHBZ#1932373, RHBZ#1932426 -- Resolves CVE-2021-22883 and CVE-2021-22884 -- remove -debug-nghttp2 flag (1930775) -- remove ini patch merged upstream - * Mon Jan 18 2021 Zuzana Svetlikova - 1:10.23.1-1 - January Security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ diff --git a/sources b/sources index d28b25e..6834f9a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA1 (icu4c-64_2-src.tgz) = 3127155ecf2b75ab4835f501b7478e39c07bb852 -SHA1 (node-v10.24.0-stripped.tar.gz) = be0e0b385a852c376f452b3d94727492e05407e4 +SHA1 (node-v10.23.1-stripped.tar.gz) = 21b2943f71c0aa6c9271da21c3f09f52451be8fa