diff --git a/.gitignore b/.gitignore index e4a52f7..f1c857e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,17 @@ -SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.20.1-stripped.tar.gz +/node-v10.7.0-stripped.tar.gz +/node-v10.11.0-stripped.tar.gz +/node-v10.14.1-stripped.tar.gz +/node-v12.4.0-stripped.tar.gz +/node-v12.13.1-stripped.tar.gz +/node-v12.14.1-stripped.tar.gz +/node-v12.16.1-stripped.tar.gz +/node-v12.18.1-stripped.tar.gz /icu4c-67_1-src.tgz +/node-v12.18.2-stripped.tar.gz +/node-v12.18.4-stripped.tar.gz +/node-v12.19.1-stripped.tar.gz /node-v12.20.1-stripped.tar.gz +/node-v12.21.0-stripped.tar.gz +/node-v12.22.2-stripped.tar.gz +/node-v12.22.3-stripped.tar.gz +/node-v12.22.5-stripped.tar.gz diff --git a/0002-Install-both-binaries-and-use-libdir.patch b/0002-Install-both-binaries-and-use-libdir.patch index ed89d0d..16c56c6 100644 --- a/0002-Install-both-binaries-and-use-libdir.patch +++ b/0002-Install-both-binaries-and-use-libdir.patch @@ -1,32 +1,36 @@ -From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 27 Sep 2022 13:48:12 +0200 -Subject: [PATCH] Install both binaries and use libdir +From a496364130e7566afb153375b00e0f1d9c96943c Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH] Install both binaries and use libdir. +This allows us to build with a shared library for other users while +still providing the normal executable. + +Signed-off-by: Elliott Sales de Andrade Signed-off-by: rpm-build --- - configure.py | 7 +++++++ - tools/install.py | 8 +++++--- - 2 files changed, 12 insertions(+), 3 deletions(-) + configure.py | 7 +++++++ + tools/install.py | 31 ++++++++++++++----------------- + 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/configure.py b/configure.py -index 1a7023d..b16db0c 100755 +index b67ad1f..875ebef 100755 --- a/configure.py +++ b/configure.py -@@ -739,6 +739,12 @@ parser.add_argument('--shared', +@@ -602,6 +602,12 @@ parser.add_option('--shared', help='compile shared library for embedding node in another project. ' + '(This mode is not officially supported for regular applications)') -+parser.add_argument('--libdir', ++parser.add_option('--libdir', + action='store', + dest='libdir', + default='lib', + help='a directory to install the shared library into') + - parser.add_argument('--without-v8-platform', + parser.add_option('--without-v8-platform', action='store_true', dest='without_v8_platform', -@@ -1368,6 +1374,7 @@ def configure_node(o): +@@ -1168,6 +1174,7 @@ def configure_node(o): o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) o['variables']['node_shared'] = b(options.shared) @@ -35,38 +39,50 @@ index 1a7023d..b16db0c 100755 if options.dest_os == 'android': diff --git a/tools/install.py b/tools/install.py -index a6d1f8b..e3ef9d7 100755 +index 6558029..a1cae2e 100755 --- a/tools/install.py +++ b/tools/install.py -@@ -144,6 +144,7 @@ def files(action): +@@ -121,26 +121,23 @@ def subdir_files(path, dest, action): + + def files(action): is_windows = sys.platform == 'win32' - output_file = 'node' +- output_file = 'node' output_prefix = 'out/Release/' + output_libprefix = output_prefix - if is_windows: - output_file += '.exe' -@@ -151,8 +152,8 @@ def files(action): - - if 'true' == variables.get('node_shared'): - if is_windows: -- action([output_prefix + 'libnode.dll'], 'bin/libnode.dll') -- action([output_prefix + 'libnode.lib'], 'lib/libnode.lib') -+ action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll') -+ action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib') - elif sys.platform == 'zos': - # GYP will output to lib.target; see _InstallableTargetInstallPath - # function in tools/gyp/pylib/gyp/generator/make.py -@@ -176,7 +177,8 @@ def files(action): - try_symlink(so_name, link_path) - else: - output_lib = 'libnode.' + variables.get('shlib_suffix') -- action([output_prefix + output_lib], 'lib/' + output_lib) -+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') +- # GYP will output to lib.target except on OS X, this is hardcoded +- # in its source - see the _InstallableTargetInstallPath function. +- if sys.platform != 'darwin': +- output_prefix += 'lib.target/' +- +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') ++ # GYP will output to lib.target except on OS X, this is hardcoded ++ # in its source - see the _InstallableTargetInstallPath function. ++ if sys.platform != 'darwin': ++ output_prefix += 'lib.target/' + ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + if 'true' == variables.get('node_use_dtrace'): action(['out/Release/node.d'], 'lib/dtrace/node.d') - -- -2.37.3 +2.26.2 diff --git a/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/0002-install-keep-installing-dtrace-and-systemtap-files.patch deleted file mode 100644 index f055d91..0000000 --- a/0002-install-keep-installing-dtrace-and-systemtap-files.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 26 Sep 2022 16:02:39 +0200 -Subject: [PATCH] install: keep installing dtrace and systemtap files - -Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6. - -Signed-off-by: rpm-build ---- - tools/install.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tools/install.py b/tools/install.py -index 4b01d67..dc16797 100755 ---- a/tools/install.py -+++ b/tools/install.py -@@ -178,6 +178,11 @@ def files(action): - output_lib = 'libnode.' + variables.get('shlib_suffix') - action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib) - -+ if 'true' == variables.get('node_use_dtrace'): -+ action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d') -+ -+ action(['src/node.stp'], 'share/systemtap/tapset/') -+ - action(['deps/v8/tools/gdbinit'], 'share/doc/node/') - action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/') - --- -2.37.3 - diff --git a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch deleted file mode 100644 index 88a9d75..0000000 --- a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js -index d720681628..727362aac0 100644 ---- a/deps/npm/node_modules/y18n/index.js -+++ b/deps/npm/node_modules/y18n/index.js -@@ -11,7 +11,7 @@ function Y18N (opts) { - this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true - - // internal stuff. -- this.cache = {} -+ this.cache = Object.create(null) - this.writeQueue = [] - } - diff --git a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch deleted file mode 100644 index c2b1f3e..0000000 --- a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/ini/ini.js | 8 +++++ - deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 deps/npm/node_modules/ini/test/proto.js - -diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/deps/npm/node_modules/ini/ini.js -+++ b/deps/npm/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/deps/npm/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.29.2 - diff --git a/gating.yaml b/gating.yaml deleted file mode 100644 index c190bde..0000000 --- a/gating.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- !Policy -product_versions: - - rhel-9 -decision_context: osci_compose_gate -rules: - - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh index f3f3298..2ed756a 100755 --- a/nodejs-tarball.sh +++ b/nodejs-tarball.sh @@ -185,15 +185,19 @@ echo "punycode" echo "=========================" grep "'version'" node-v${version}/lib/punycode.js echo +echo "npm" +echo "=========================" +grep "\"version\":" node-v${version}/deps/npm/package.json +echo echo "uvwasi" echo "=========================" grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h echo -echo "npm" +echo "brotli" echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json +grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/nodejs.spec b/nodejs.spec index fc6939a..f041419 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -29,8 +29,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 20 -%global nodejs_patch 1 +%global nodejs_minor 22 +%global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -57,8 +57,8 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 16 -%global c_ares_patch 1 +%global c_ares_minor 17 +%global c_ares_patch 2 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -106,7 +106,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 10 +%global npm_patch 14 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -167,12 +167,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif -# CVE-2020-7774 -Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch +# Upstream patch to use getauxval +Patch3: 0003-src-use-getauxval-in-node_main.cc.patch -# CVE-2020-7788 -Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +# Make FIPS always available +# https://github.com/nodejs/node/issues/34903 +Patch4: 0004-always-available-fips-options.patch +Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch + +BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -184,13 +188,13 @@ BuildRequires: gcc-c++ >= 6.3.0 BuildRequires: nodejs-packaging BuildRequires: chrpath BuildRequires: libatomic +BuildRequires: systemtap-sdt-devel %if %{with bootstrap} Provides: bundled(http-parser) = %{http_parser_version} Provides: bundled(libuv) = %{libuv_version} Provides: bundled(nghttp2) = %{nghttp2_version} %else -BuildRequires: systemtap-sdt-devel BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -454,7 +458,6 @@ export LDFLAGS="%{build_ldflags}" # --shared-brotli \ # --without-dtrace \ # --with-intl=small-icu \ -# --debug-nghttp2 \ # --openssl-use-def-ca-store #%else #./configure --prefix=%{_prefix} \ @@ -481,8 +484,8 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -493,8 +496,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %else @@ -505,8 +508,8 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -516,8 +519,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %endif @@ -870,14 +873,42 @@ end %changelog +* Mon Aug 16 2021 Zuzana Svetlikova - 1:12.22.5-1 +- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, +- Resolves CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 +- Resolves: RHBZ#1951621 (make FIPS always available) +- Resolves: RHBZ#1988596, RHBZ#1993814, RHBZ#1993808, RHBZ#1993094 +- Resolves: RHBZ#1986742, RHBZ#1993946, RHBZ#1993939, RHBZ#1989426 + +* Mon Aug 09 2021 Zuzana Svetlikova - 1:12.22.3-3 +- Resolves CVE-2021-23362 CVE-2021-27290 +- Resolves: RHBZ#1945512, RHBZ#1945286 +- Add missing CVE trackers + +* Thu Jul 08 2021 Zuzana Svetlikova - 1:12.22.3-2 +- Resolves: RHBZ#1979843, RHBZ#1977759 +- Resolves: RHBz#1952915 +- Fix typo, BR systemtap-sdt-level always, remove y18n patch + +* Wed Jul 07 2021 Zuzana Svetlikova - 1:12.22.3-1 +- Resolves: RHBZ#1979843, RHBZ#1977759 +- Resolves: RHBz#1952915 +- Resolves CVE-2021-22918(libuv), use system cipher list + +* Tue Mar 02 2021 Zuzana Svetlikova - 1:12.21.0-1 +- Resolves: RHBZ#1934566, RHBZ#1934598 +- remove --debug-nghttp2 option +- remove ini patch +- Backport patch to use getauxval + * Mon Jan 18 2021 Zuzana Svetlikova - 1:12.20.1-1 - Security rebase for January security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ -- Resolves: RHBZ#1916460, RHBZ#1914786 -- Resolves: RHBZ#1914784, RHBZ#1916396 +- Resolves: RHBZ#1913000, RHBZ#1912952 +- Resolves: RHBZ#1912635, RHBZ#1893984 * Tue Nov 24 2020 Zuzana Svetlikova - 1:12.19.1-1 -- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047 +- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765 - c-ares, ajv and y18n CVEs and yarn installability issues * Mon Oct 05 2020 Zuzana Svetlikova - 1:12.18.4-2 diff --git a/package.cfg b/package.cfg deleted file mode 100644 index ceab82f..0000000 --- a/package.cfg +++ /dev/null @@ -1,2 +0,0 @@ -[koji] -targets = master f34 f33 diff --git a/sources b/sources index 91cf385..3941ed8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ +SHA512 (node-v12.22.5-stripped.tar.gz) = 9bda1a68f6f94710881c0f80dd75168f4eac5a7599f4395f14c97693b1ee571020ea781e90ef15621112a50f3e5b62fb2dfe947f31be2ef20112a6a8f91da93a SHA512 (icu4c-67_1-src.tgz) = 4779f1ce1ca7976f6fad6768853ea8c540da54d11509e3b6cfd864a04b5f2db1c3d4b546387f91ad02fb90804525bc37d2543173f0d705d6ca11dc6f2b7640a8 -SHA512 (node-v12.20.1-stripped.tar.gz) = 3f4ee70278921f68ca1ba123f988916072bd5141ffca21413b278110d409c71101a84fcb1cee839d2a081ff5e3fbe2d07dec85b98d747de66a18cbef828b5123