Rebase to 14.21.3
This commit is contained in:
parent
ccbcd44d4d
commit
9b7039aaf7
1
.gitignore
vendored
1
.gitignore
vendored
@ -6,3 +6,4 @@ SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||
/icu4c-70_1-src.tgz
|
||||
/node-v14.21.1-stripped.tar.gz
|
||||
/wasi-sdk-wasi-sdk-11.tar.gz
|
||||
/node-v14.21.3-stripped.tar.gz
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001
|
||||
From: Kornel <kornel@geekhood.net>
|
||||
Date: Fri, 27 Jan 2023 01:20:38 +0000
|
||||
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
|
||||
whitespace
|
||||
|
||||
upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||
index bcdaebe..e427106 100644
|
||||
--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||
+++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js
|
||||
@@ -21,7 +21,7 @@ function parseCacheControl(header) {
|
||||
|
||||
// TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
|
||||
// the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
|
||||
- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
|
||||
+ var parts = header.trim().split(/,/);
|
||||
for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) {
|
||||
var _ref;
|
||||
|
||||
@@ -36,11 +36,11 @@ function parseCacheControl(header) {
|
||||
|
||||
var part = _ref;
|
||||
|
||||
- var _part$split = part.split(/\s*=\s*/, 2),
|
||||
+ var _part$split = part.split(/=/, 2),
|
||||
k = _part$split[0],
|
||||
v = _part$split[1];
|
||||
|
||||
- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
|
||||
+ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
|
||||
}
|
||||
|
||||
return cc;
|
||||
@@ -556,4 +556,4 @@ module.exports = function () {
|
||||
};
|
||||
|
||||
return CachePolicy;
|
||||
-}();
|
||||
\ No newline at end of file
|
||||
+}();
|
||||
--
|
||||
2.39.2
|
||||
|
@ -1,98 +0,0 @@
|
||||
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
|
||||
From: Jordan Harband <ljharb@gmail.com>
|
||||
Date: Mon, 27 Dec 2021 19:15:57 -0800
|
||||
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/qs/lib/parse.js | 2 +-
|
||||
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
|
||||
2 files changed, 61 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
|
||||
index 8c9872e..08e623a 100644
|
||||
--- a/deps/npm/node_modules/qs/lib/parse.js
|
||||
+++ b/deps/npm/node_modules/qs/lib/parse.js
|
||||
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
|
||||
) {
|
||||
obj = [];
|
||||
obj[index] = leaf;
|
||||
- } else {
|
||||
+ } else if (cleanRoot !== '__proto__') {
|
||||
obj[cleanRoot] = leaf;
|
||||
}
|
||||
}
|
||||
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
|
||||
index 0f8fe45..3e93784 100644
|
||||
--- a/deps/npm/node_modules/qs/test/parse.js
|
||||
+++ b/deps/npm/node_modules/qs/test/parse.js
|
||||
@@ -515,6 +515,66 @@ test('parse()', function (t) {
|
||||
st.end();
|
||||
});
|
||||
|
||||
+ t.test('dunder proto is ignored', function (st) {
|
||||
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
|
||||
+ var result = qs.parse(payload, { allowPrototypes: true });
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ result,
|
||||
+ {
|
||||
+ categories: {
|
||||
+ length: '42'
|
||||
+ }
|
||||
+ },
|
||||
+ 'silent [[Prototype]] payload'
|
||||
+ );
|
||||
+
|
||||
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ plainResult,
|
||||
+ {
|
||||
+ __proto__: null,
|
||||
+ categories: {
|
||||
+ __proto__: null,
|
||||
+ length: '42'
|
||||
+ }
|
||||
+ },
|
||||
+ 'silent [[Prototype]] payload: plain objects'
|
||||
+ );
|
||||
+
|
||||
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
|
||||
+
|
||||
+ st.notOk(Array.isArray(query.categories), 'is not an array');
|
||||
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
|
||||
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
|
||||
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
|
||||
+ {
|
||||
+ foo: {
|
||||
+ bar: 'stuffs'
|
||||
+ }
|
||||
+ },
|
||||
+ 'hidden values'
|
||||
+ );
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
|
||||
+ {
|
||||
+ __proto__: null,
|
||||
+ foo: {
|
||||
+ __proto__: null,
|
||||
+ bar: 'stuffs'
|
||||
+ }
|
||||
+ },
|
||||
+ 'hidden values: plain objects'
|
||||
+ );
|
||||
+
|
||||
+ st.end();
|
||||
+ });
|
||||
+
|
||||
t.test('can return null objects', { skip: !Object.create }, function (st) {
|
||||
var expected = Object.create(null);
|
||||
expected.a = Object.create(null);
|
||||
--
|
||||
2.38.1
|
||||
|
@ -0,0 +1,52 @@
|
||||
From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001
|
||||
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
|
||||
Date: Wed, 18 Jan 2023 22:14:26 +0800
|
||||
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
|
||||
stack overflow (#497)
|
||||
|
||||
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
|
||||
the input str and initialize a sortlist configuration.
|
||||
|
||||
However, ares_set_sortlist has not any checks about the validity of the input str.
|
||||
It is very easy to create an arbitrary length stack overflow with the unchecked
|
||||
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
|
||||
statements in the config_sortlist call, which could potentially cause severe
|
||||
security impact in practical programs.
|
||||
|
||||
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
|
||||
potential stack overflows.
|
||||
|
||||
fixes #496
|
||||
|
||||
Fix By: @hopper-vul
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/cares/src/lib/ares_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
|
||||
index de5d86c..d5858f6 100644
|
||||
--- a/deps/cares/src/lib/ares_init.c
|
||||
+++ b/deps/cares/src/lib/ares_init.c
|
||||
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
q = str;
|
||||
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 16)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbuf, str, q-str);
|
||||
ipbuf[q-str] = '\0';
|
||||
/* Find the prefix */
|
||||
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
|
||||
const char *str2 = q+1;
|
||||
while (*q && *q != ';' && !ISSPACE(*q))
|
||||
q++;
|
||||
+ if (q-str >= 32)
|
||||
+ return ARES_EBADSTR;
|
||||
memcpy(ipbufpfx, str, q-str);
|
||||
ipbufpfx[q-str] = '\0';
|
||||
str = str2;
|
||||
--
|
||||
2.39.2
|
||||
|
16
nodejs.spec
16
nodejs.spec
@ -30,7 +30,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage that
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -42,7 +42,7 @@
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 14
|
||||
%global nodejs_minor 21
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_patch 3
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
||||
%global nodejs_release %{baserelease}
|
||||
@ -121,7 +121,7 @@
|
||||
%global npm_epoch 1
|
||||
%global npm_major 6
|
||||
%global npm_minor 14
|
||||
%global npm_patch 17
|
||||
%global npm_patch 18
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||
@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
# Dependency vulnerabilities
|
||||
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
|
||||
Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
|
||||
Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
@ -679,7 +680,6 @@ end
|
||||
%doc %{_mandir}/man5/shrinkwrap-json.5*
|
||||
%doc %{_mandir}/man7/config.7*
|
||||
%doc %{_mandir}/man7/developers.7*
|
||||
%doc %{_mandir}/man7/disputes.7*
|
||||
%doc %{_mandir}/man7/orgs.7*
|
||||
%doc %{_mandir}/man7/registry.7*
|
||||
%doc %{_mandir}/man7/removal.7*
|
||||
@ -696,6 +696,12 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 1:14.21.3-1
|
||||
- Rebase to 14.21.3
|
||||
Resolves: rhbz#2153712
|
||||
Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900
|
||||
Resolves: CVE-2022-4904
|
||||
|
||||
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
|
||||
- Apply upstream fix for CVE-2022-24999
|
||||
Resolves: CVE-2022-24999
|
||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = e2134c4541efec2f32d5fa5fd5151511a599ecd08e85fbfc8d56cbd0f3b2a404a9b1c072a601e4237e229ed12859abf6f52201ee0f55fcd0e43f49d0017e7cd1
|
||||
SHA512 (node-v14.21.3-stripped.tar.gz) = 04fdaf3c3a776973fd927a87dc69af277422a4717028d3c7b78a8abf45979610d17abc069d1129ec7b8d8b507e1d62539d3c595ae8895ac05eda15b156e63969
|
||||
SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
|
||||
SHA512 (node-v14.21.1-stripped.tar.gz) = 47b109d8cce58a413657f8ec5cdf44b7f3110b9b345b66cfd7e3bfe5491148370d634193d09b6342c1218c3ade596d07f83d33aebd55bdd940f825eb977f2f57
|
||||
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = e2134c4541efec2f32d5fa5fd5151511a599ecd08e85fbfc8d56cbd0f3b2a404a9b1c072a601e4237e229ed12859abf6f52201ee0f55fcd0e43f49d0017e7cd1
|
||||
SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c
|
||||
|
Loading…
Reference in New Issue
Block a user