import UBI nodejs-16.19.1-2.module+el8.8.0+19038+6f60344f

SOURCES/0001-Disable-running-gyp-on-shared-deps.patch

@@ -1,19 +1,18 @@
-From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
-From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH 1/2] Disable running gyp on shared deps
+From 8a45f34d9d74d59879973210cf06f4383b9832b8 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 30 May 2023 13:12:35 +0200
+Subject: [PATCH] Disable running gyp on shared deps
 
+Signed-off-by: rpm-build <rpm-build>
 ---
  Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
+index 6d6f2e4..88e1a11 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -136,11 +136,11 @@ endif
- .PHONY: test-code-cache
- with-code-cache test-code-cache:
+@@ -148,7 +148,7 @@ with-code-cache test-code-cache:
  	$(warning '$@' target is a noop)
  
  out/Makefile: config.gypi common.gypi node.gyp \
@@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
  	$(PYTHON) tools/gyp_node.py -f make
-
- # node_version.h is listed because the N-API version is taken from there
 -- 
-2.29.2
+2.40.1
 

SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch

@@ -1,4 +1,4 @@
-From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001
+From abe534dda44a10e1b80a206c996f2e0e42298f7f Mon Sep 17 00:00:00 2001
 From: Kornel <kornel@geekhood.net>
 Date: Fri, 27 Jan 2023 01:20:38 +0000
 Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
@@ -41,5 +41,5 @@ index 897798d..79c020a 100644
      "repository": "https://github.com/kornelski/http-cache-semantics.git",
      "main": "index.js",
 -- 
-2.39.2
+2.40.1
 

SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch

@@ -1,53 +0,0 @@
-From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
-From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
-Date: Wed, 18 Jan 2023 22:14:26 +0800
-Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
- stack overflow (#497)
-
-In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
-the input str and initialize a sortlist configuration.
-
-However, ares_set_sortlist has not any checks about the validity of the input str.
-It is very easy to create an arbitrary length stack overflow with the unchecked
-`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
-statements in the config_sortlist call, which could potentially cause severe
-security impact in practical programs.
-
-This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
-potential stack overflows.
-
-fixes #496
-
-Fix By: @hopper-vul
-Resolves: CVE-2022-4904
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/cares/src/lib/ares_init.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
-index de5d86c..d5858f6 100644
---- a/deps/cares/src/lib/ares_init.c
-+++ b/deps/cares/src/lib/ares_init.c
-@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
-       q = str;
-       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
-         q++;
-+      if (q-str >= 16)
-+        return ARES_EBADSTR;
-       memcpy(ipbuf, str, q-str);
-       ipbuf[q-str] = '\0';
-       /* Find the prefix */
-@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
-           const char *str2 = q+1;
-           while (*q && *q != ';' && !ISSPACE(*q))
-             q++;
-+          if (q-str >= 32)
-+            return ARES_EBADSTR;
-           memcpy(ipbufpfx, str, q-str);
-           ipbufpfx[q-str] = '\0';
-           str = str2;
--- 
-2.39.2
-

SPECS/nodejs.spec

@@ -35,7 +35,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -71,10 +71,7 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_major 1
-%global c_ares_minor 18
-%global c_ares_patch 1
-%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
+%global c_ares_version 1.19.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 6
@@ -211,8 +208,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # CVE-2022-25881
 Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
-# CVE-2022-4904
-Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
+Patch3: 0003-deps-update-c-ares-to-1.19.1.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -733,6 +729,10 @@ end
 
 
 %changelog
+* Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
+- Update bundled c-ares to 1.19.1
+  Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
+
 * Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-1
 - Rebase to 16.19.1
   Resolves: rhbz#2153713
@@ -749,15 +749,12 @@ end
 
 * Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-1
 - Rebase + CVE fixes
-- Resolves: #2142806
-- Resolves: #2142837, #2142851
+- Resolves: #2121024
+- Resolves: #2135490, #2140926
 
 * Fri Oct 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.17.1-1
 - Rebase to version 16.17.1
 - Resolves: CVE-2022-35255 CVE-2022-35256
-- Resolves: #2130553
-- Resolves #2132003
-- Resolves #2121095
 
 * Tue Aug 23 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
 - Resolves: #2104754, #2108057, #2108062, #2108067, #2108072