Rebase to 14.21.3

This commit is contained in:
Jan Staněk 2023-03-06 14:58:28 +01:00
parent ccbcd44d4d
commit 9b7039aaf7
No known key found for this signature in database
GPG Key ID: 2972F2037B243B6D
6 changed files with 115 additions and 105 deletions

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
/icu4c-70_1-src.tgz
/node-v14.21.1-stripped.tar.gz
/wasi-sdk-wasi-sdk-11.tar.gz
/node-v14.21.3-stripped.tar.gz

View File

@ -0,0 +1,49 @@
From 201c8b23df7bf986276e62b03f8276e18ef49728 Mon Sep 17 00:00:00 2001
From: Kornel <kornel@geekhood.net>
Date: Fri, 27 Jan 2023 01:20:38 +0000
Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
whitespace
upstream-patch: https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/http-cache-semantics/node4/index.js | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/deps/npm/node_modules/http-cache-semantics/node4/index.js b/deps/npm/node_modules/http-cache-semantics/node4/index.js
index bcdaebe..e427106 100644
--- a/deps/npm/node_modules/http-cache-semantics/node4/index.js
+++ b/deps/npm/node_modules/http-cache-semantics/node4/index.js
@@ -21,7 +21,7 @@ function parseCacheControl(header) {
// TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
// the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
- var parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
+ var parts = header.trim().split(/,/);
for (var _iterator = parts, _isArray = Array.isArray(_iterator), _i = 0, _iterator = _isArray ? _iterator : _iterator[Symbol.iterator]();;) {
var _ref;
@@ -36,11 +36,11 @@ function parseCacheControl(header) {
var part = _ref;
- var _part$split = part.split(/\s*=\s*/, 2),
+ var _part$split = part.split(/=/, 2),
k = _part$split[0],
v = _part$split[1];
- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
+ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
}
return cc;
@@ -556,4 +556,4 @@ module.exports = function () {
};
return CachePolicy;
-}();
\ No newline at end of file
+}();
--
2.39.2

View File

@ -1,98 +0,0 @@
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Mon, 27 Dec 2021 19:15:57 -0800
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/qs/lib/parse.js | 2 +-
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 1 deletion(-)
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
index 8c9872e..08e623a 100644
--- a/deps/npm/node_modules/qs/lib/parse.js
+++ b/deps/npm/node_modules/qs/lib/parse.js
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
) {
obj = [];
obj[index] = leaf;
- } else {
+ } else if (cleanRoot !== '__proto__') {
obj[cleanRoot] = leaf;
}
}
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
index 0f8fe45..3e93784 100644
--- a/deps/npm/node_modules/qs/test/parse.js
+++ b/deps/npm/node_modules/qs/test/parse.js
@@ -515,6 +515,66 @@ test('parse()', function (t) {
st.end();
});
+ t.test('dunder proto is ignored', function (st) {
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+ var result = qs.parse(payload, { allowPrototypes: true });
+
+ st.deepEqual(
+ result,
+ {
+ categories: {
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload'
+ );
+
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+ st.deepEqual(
+ plainResult,
+ {
+ __proto__: null,
+ categories: {
+ __proto__: null,
+ length: '42'
+ }
+ },
+ 'silent [[Prototype]] payload: plain objects'
+ );
+
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+ st.notOk(Array.isArray(query.categories), 'is not an array');
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+ {
+ foo: {
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values'
+ );
+
+ st.deepEqual(
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+ {
+ __proto__: null,
+ foo: {
+ __proto__: null,
+ bar: 'stuffs'
+ }
+ },
+ 'hidden values: plain objects'
+ );
+
+ st.end();
+ });
+
t.test('can return null objects', { skip: !Object.create }, function (st) {
var expected = Object.create(null);
expected.a = Object.create(null);
--
2.38.1

View File

@ -0,0 +1,52 @@
From 58725d71e4306c83a474d6c3035e72580d0c4592 Mon Sep 17 00:00:00 2001
From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
Date: Wed, 18 Jan 2023 22:14:26 +0800
Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
stack overflow (#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes #496
Fix By: @hopper-vul
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
index de5d86c..d5858f6 100644
--- a/deps/cares/src/lib/ares_init.c
+++ b/deps/cares/src/lib/ares_init.c
@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
q = str;
while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 16)
+ return ARES_EBADSTR;
memcpy(ipbuf, str, q-str);
ipbuf[q-str] = '\0';
/* Find the prefix */
@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
const char *str2 = q+1;
while (*q && *q != ';' && !ISSPACE(*q))
q++;
+ if (q-str >= 32)
+ return ARES_EBADSTR;
memcpy(ipbufpfx, str, q-str);
ipbufpfx[q-str] = '\0';
str = str2;
--
2.39.2

View File

@ -30,7 +30,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 2
%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -42,7 +42,7 @@
%global nodejs_epoch 1
%global nodejs_major 14
%global nodejs_minor 21
%global nodejs_patch 1
%global nodejs_patch 3
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
%global nodejs_release %{baserelease}
@ -121,7 +121,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 17
%global npm_patch 18
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@ -184,7 +184,8 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# Dependency vulnerabilities
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
Patch3: 0003-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
Patch4: 0004-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
BuildRequires: make
BuildRequires: python3-devel
@ -679,7 +680,6 @@ end
%doc %{_mandir}/man5/shrinkwrap-json.5*
%doc %{_mandir}/man7/config.7*
%doc %{_mandir}/man7/developers.7*
%doc %{_mandir}/man7/disputes.7*
%doc %{_mandir}/man7/orgs.7*
%doc %{_mandir}/man7/registry.7*
%doc %{_mandir}/man7/removal.7*
@ -696,6 +696,12 @@ end
%changelog
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 1:14.21.3-1
- Rebase to 14.21.3
Resolves: rhbz#2153712
Resolves: CVE-2022-25881 CVE-2023-23918 CVE-2023-23920 CVE-2022-38900
Resolves: CVE-2022-4904
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
- Apply upstream fix for CVE-2022-24999
Resolves: CVE-2022-24999

View File

@ -1,4 +1,4 @@
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = e2134c4541efec2f32d5fa5fd5151511a599ecd08e85fbfc8d56cbd0f3b2a404a9b1c072a601e4237e229ed12859abf6f52201ee0f55fcd0e43f49d0017e7cd1
SHA512 (node-v14.21.3-stripped.tar.gz) = 04fdaf3c3a776973fd927a87dc69af277422a4717028d3c7b78a8abf45979610d17abc069d1129ec7b8d8b507e1d62539d3c595ae8895ac05eda15b156e63969
SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
SHA512 (node-v14.21.1-stripped.tar.gz) = 47b109d8cce58a413657f8ec5cdf44b7f3110b9b345b66cfd7e3bfe5491148370d634193d09b6342c1218c3ade596d07f83d33aebd55bdd940f825eb977f2f57
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = e2134c4541efec2f32d5fa5fd5151511a599ecd08e85fbfc8d56cbd0f3b2a404a9b1c072a601e4237e229ed12859abf6f52201ee0f55fcd0e43f49d0017e7cd1
SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c