import nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c

2021-02-16 02:40:51 -05:00 · 2021-02-16 02:40:51 -05:00 · 8ea90a1f4e
commit 8ea90a1f4e
parent b8a823347f
6 changed files with 119 additions and 36 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.19.1-stripped.tar.gz
+SOURCES/node-v12.20.1-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-c838aed4904d8632d98d75deaa623b259d0f4c20 SOURCES/node-v12.19.1-stripped.tar.gz
+f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz
--- a/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
+++ b/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
@ -1,24 +0,0 @@
 From 8ba0309b6c0c976241f5db056b344260acf674d9 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 30 Oct 2020 13:51:33 +0100
 Subject: [PATCH] CVE-2020-15366-nodejs-ajv-ignore-proto-properties
 ---
 deps/npm/node_modules/ajv/lib/dot/dependencies.jst | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
 index c41f334224..7403105d4b 100644
 --- a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
 +++ b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
@@ -19,6 +19,7 @@
     , $ownProperties = it.opts.ownProperties;
   for ($property in $schema) {
 +    if ($property == '__proto__') continue;
     var $sch = $schema[$property];
     var $deps = Array.isArray($sch) ? $propertyDeps : $schemaDeps;
     $deps[$property] = $sch;
 -- 
 2.26.2
--- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
--- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -0,0 +1,99 @@
 From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
 From: isaacs <i@izs.me>
 Date: Tue, 8 Dec 2020 14:21:50 -0800
 Subject: [PATCH] do not allow invalid hazardous string as section name
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/npm/node_modules/ini/ini.js        |  8 +++++
 deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 deps/npm/node_modules/ini/test/proto.js
 diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
 index 590195d..0401258 100644
 --- a/deps/npm/node_modules/ini/ini.js
 +++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
     if (!match) return
     if (match[1] !== undefined) {
       section = unsafe(match[1])
 +      if (section === '__proto__') {
 +        // not allowed
 +        // keep parsing the section, but don't attach it.
 +        p = {}
 +        return
 +      }
       p = out[section] = out[section] || {}
       return
     }
@@ -94,6 +100,7 @@ function decode (str) {
     // Convert keys with '[]' suffix to an array
     if (key.length > 2 && key.slice(-2) === '[]') {
       key = key.substring(0, key.length - 2)
 +      if (key === '__proto__') return
       if (!p[key]) {
         p[key] = []
       } else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
     var l = parts.pop()
     var nl = l.replace(/\\\./g, '.')
     parts.forEach(function (part, _, __) {
 +      if (part === '__proto__') return
       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
       p = p[part]
     })
 diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
 new file mode 100644
 index 0000000..ab35533
 --- /dev/null
 +++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
 +var ini = require('../')
 +var t = require('tap')
 +
 +var data = `
 +__proto__ = quux
 +foo = baz
 +[__proto__]
 +foo = bar
 +[other]
 +foo = asdf
 +[kid.__proto__.foo]
 +foo = kid
 +[arrproto]
 +hello = snyk
 +__proto__[] = you did a good job
 +__proto__[] = so you deserve arrays
 +thanks = true
 +`
 +var res = ini.parse(data)
 +t.deepEqual(res, {
 +  foo: 'baz',
 +  other: {
 +    foo: 'asdf',
 +  },
 +  kid: {
 +    foo: {
 +      foo: 'kid',
 +    },
 +  },
 +  arrproto: {
 +    hello: 'snyk',
 +    thanks: true,
 +  },
 +})
 +t.equal(res.__proto__, Object.prototype)
 +t.equal(res.kid.__proto__, Object.prototype)
 +t.equal(res.kid.foo.__proto__, Object.prototype)
 +t.equal(res.arrproto.__proto__, Object.prototype)
 +t.equal(Object.prototype.foo, undefined)
 +t.equal(Object.prototype[0], undefined)
 +t.equal(Object.prototype['0'], undefined)
 +t.equal(Object.prototype[1], undefined)
 +t.equal(Object.prototype['1'], undefined)
 +t.equal(Array.prototype[0], undefined)
 +t.equal(Array.prototype[1], undefined)
 --
 2.29.2
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -29,7 +29,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 19
+%global nodejs_minor 20
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
@ -58,24 +58,24 @@
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 16
-%global c_ares_patch 0
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 # http-parser - from deps/http_parser/http_parser.h
 %global http_parser_major 2
 %global http_parser_minor 9
-%global http_parser_patch 3
+%global http_parser_patch 4
 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
 %global llhttp_minor 1
-%global llhttp_patch 2
+%global llhttp_patch 3
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 39
+%global libuv_minor 40
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@ -106,13 +106,13 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 8
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 10
+%global uvwasi_patch 11
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 # histogram_c - assumed from timestamps
@ -167,9 +167,11 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
-# Fixes for CVEs
+# CVE-2020-7774
-Patch4: 0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
-Patch5: 0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
 # CVE-2020-7788
 Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
 BuildRequires: python2-devel
 BuildRequires: python3-devel
@ -868,6 +870,12 @@ end
 %changelog
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
 - Resolves: RHBZ#1916460, RHBZ#1914786
 - Resolves: RHBZ#1914784, RHBZ#1916396
 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
 - Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
 - c-ares, ajv and y18n CVEs and yarn installability issues
`@ -1,2 +1,2 @@`
	`SOURCES/icu4c-67_1-src.tgz`	`SOURCES/icu4c-67_1-src.tgz`
	`SOURCES/node-v12.19.1-stripped.tar.gz`	`SOURCES/node-v12.20.1-stripped.tar.gz`
`@ -1,2 +1,2 @@`
	`6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz`	`6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz`
	`c838aed4904d8632d98d75deaa623b259d0f4c20 SOURCES/node-v12.19.1-stripped.tar.gz`	`f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz`