rpms/nodejs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI nodejs-20.11.1-1.module+el8.9.0+21380+12032667

Browse Source
This commit is contained in:
eabdullin 2024-04-08 12:38:52 +00:00
parent edbfd5870b
commit 7b3798af36
4 changed files with 85 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-73_2-src.tgz SOURCES/icu4c-73_2-src.tgz
SOURCES/node-v20.11.0-stripped.tar.gz SOURCES/node-v20.11.1-stripped.tar.gz
SOURCES/undici-5.27.2.tar.gz SOURCES/undici-5.28.3.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
SOURCES/wasi-sdk-wasi-sdk-16.tar.gz SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

6
.nodejs.metadata
View File

@ -1,6 +1,6 @@
36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz 164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
77fb048d100d9663d417274bc38c3f53a9e58f9e SOURCES/node-v20.11.0-stripped.tar.gz 59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz
6ae4fbe44f94670fdd1c1f0072ac7d6ed106d402 SOURCES/undici-5.27.2.tar.gz b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

78
SOURCES/nodejs-fips-disable-options.patch
View File

@ -1,15 +1,77 @@
FIPS related options cause a segfault, let's end sooner From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Fri, 23 Feb 2024 13:43:56 +0100
Subject: [PATCH] Disable FIPS options
On RHEL, FIPS should be configured only on system level.
Additionally, the related options may cause segfault when used on RHEL.
This patch causes the option processing to end sooner
than the problematic code gets executed.
Additionally, the JS-level options to mess with FIPS settings
are similarly disabled.
Upstream report: https://github.com/nodejs/node/pull/48950 Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
Customer case: https://access.redhat.com/support/cases/#/case/03711488
This patch makes the part of the code that processes cmd-line options for Signed-off-by: rpm-build <rpm-build>
FIPS to end sooner before the code gets to the problematic part of the code. ---
lib/crypto.js | 10 ++++++++++
lib/internal/errors.js | 6 ++++++
src/crypto/crypto_util.cc | 2 ++
3 files changed, 18 insertions(+)
diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc diff --git a/lib/crypto.js b/lib/crypto.js
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 index 41adecc..b2627ac 100644
+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 --- a/lib/crypto.js
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { +++ b/lib/crypto.js
@@ -36,6 +36,9 @@ const {
assertCrypto();
const {
+ // RHEL specific error
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
ERR_CRYPTO_FIPS_FORCED,
ERR_WORKER_UNSUPPORTED_OPERATION,
} = require('internal/errors').codes;
@@ -251,6 +254,13 @@ function getFips() {
}
function setFips(val) {
+ // in RHEL FIPS enable/disable should only be done at system level
+ if (getFips() != val) {
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+ } else {
+ return;
+ }
+
if (getOptionValue('--force-fips')) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index a722360..04d8a53 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1060,6 +1060,12 @@ module.exports = {
//
// Note: Node.js specific errors must begin with the prefix ERR_
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+ Error);
+
E('ERR_ACCESS_DENIED',
'Access to this API has been restricted. Permission: %s',
Error);
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 5734d8f..ef9d1b1 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */ /* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto || if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) { per_process::cli_options->force_fips_crypto) {
@ -18,3 +80,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp
#if OPENSSL_VERSION_MAJOR >= 3 #if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr) if (fips_provider == nullptr)
--
2.43.2

14
SPECS/nodejs.spec
View File

@ -45,7 +45,7 @@
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 20 %global nodejs_major 20
%global nodejs_minor 11 %global nodejs_minor 11
%global nodejs_patch 0 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 115 %global nodejs_soversion 115
@ -181,9 +181,9 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
# Version: jq '.version' deps/undici/src/package.json # Version: jq '.version' deps/undici/src/package.json
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.27.2.tar.gz # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
# Adjustments: rm -f undici-5.27.2/lib/llhttp/llhttp*.wasm* # Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm*
Source111: undici-5.27.2.tar.gz Source111: undici-5.28.3.tar.gz
# The WASM blob was made using wasi-sdk v16; compiler libraries are linked in. # The WASM blob was made using wasi-sdk v16; compiler libraries are linked in.
# Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt # Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt
# Also check (undici tarball): lib/llhttp/wasm_build_env.txt # Also check (undici tarball): lib/llhttp/wasm_build_env.txt
@ -434,7 +434,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
export LDFLAGS="%{build_ldflags}" export LDFLAGS="%{build_ldflags}"
%{__python3} configure.py --prefix=%{_prefix} --verbose \ %{__python3} configure.py --prefix=%{_prefix} --verbose \
--shared-openssl \ --shared-openssl --openssl-conf-name=openssl_conf \
--shared-zlib \ --shared-zlib \
--shared-brotli \ --shared-brotli \
%{!?with_bundled:--shared-libuv} \ %{!?with_bundled:--shared-libuv} \
@ -722,6 +722,10 @@ end
%changelog %changelog
* Wed Feb 21 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.1-1
- Rebase to version 20.11.1
- Resolves: RHEL-26017 RHEL-26266 RHEL-26685 RHEL-26686 RHEL-26004 RHEL-26596 RHEL-26688
* Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.0-1 * Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.0-1
- Rebase to version 20.11.0 - Rebase to version 20.11.0
- Resolves: RHEL-21435 - Resolves: RHEL-21435