diff --git a/.gitignore b/.gitignore index d8fc543..3f9ed36 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.22.5-stripped.tar.gz +SOURCES/node-v12.20.1-stripped.tar.gz diff --git a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch new file mode 100644 index 0000000..88a9d75 --- /dev/null +++ b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch @@ -0,0 +1,13 @@ +diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js +index d720681628..727362aac0 100644 +--- a/deps/npm/node_modules/y18n/index.js ++++ b/deps/npm/node_modules/y18n/index.js +@@ -11,7 +11,7 @@ function Y18N (opts) { + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch new file mode 100644 index 0000000..c2b1f3e --- /dev/null +++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch @@ -0,0 +1,99 @@ +From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 +From: isaacs <i@izs.me> +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build <rpm-build> +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh index 2ed756a..f3f3298 100755 --- a/nodejs-tarball.sh +++ b/nodejs-tarball.sh @@ -185,19 +185,15 @@ echo "punycode" echo "=========================" grep "'version'" node-v${version}/lib/punycode.js echo -echo "npm" -echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json -echo echo "uvwasi" echo "=========================" grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h echo -echo "brotli" +echo "npm" echo "=========================" -grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h +grep "\"version\":" node-v${version}/deps/npm/package.json echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/nodejs.spec b/nodejs.spec index 28a459a..fc6939a 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -29,8 +29,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 22 -%global nodejs_patch 5 +%global nodejs_minor 20 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -57,8 +57,8 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 +%global c_ares_minor 16 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -106,7 +106,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 14 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -167,16 +167,12 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif -# Upstream patch to use getauxval -Patch3: 0003-src-use-getauxval-in-node_main.cc.patch +# CVE-2020-7774 +Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch -# Make FIPS always available -# https://github.com/nodejs/node/issues/34903 -Patch4: 0004-always-available-fips-options.patch +# CVE-2020-7788 +Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch -Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch - -BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -188,13 +184,13 @@ BuildRequires: gcc-c++ >= 6.3.0 BuildRequires: nodejs-packaging BuildRequires: chrpath BuildRequires: libatomic -BuildRequires: systemtap-sdt-devel %if %{with bootstrap} Provides: bundled(http-parser) = %{http_parser_version} Provides: bundled(libuv) = %{libuv_version} Provides: bundled(nghttp2) = %{nghttp2_version} %else +BuildRequires: systemtap-sdt-devel BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -458,6 +454,7 @@ export LDFLAGS="%{build_ldflags}" # --shared-brotli \ # --without-dtrace \ # --with-intl=small-icu \ +# --debug-nghttp2 \ # --openssl-use-def-ca-store #%else #./configure --prefix=%{_prefix} \ @@ -467,6 +464,7 @@ export LDFLAGS="%{build_ldflags}" # --shared-zlib \ # --shared-brotli \ # --shared-libuv \ +# --shared-nghttp2 \ # --with-dtrace \ # --with-intl=%{icu_flag} \ # --with-icu-default-data-dir=%{icudatadir} \ @@ -483,8 +481,8 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM + --debug-nghttp2 \ + --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -495,8 +493,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM + --debug-nghttp2 \ + --openssl-use-def-ca-store %endif %else @@ -507,8 +505,8 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM + --debug-nghttp2 \ + --openssl-use-def-ca-store %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -518,8 +516,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM + --debug-nghttp2 \ + --openssl-use-def-ca-store %endif %endif @@ -872,42 +870,14 @@ end %changelog -* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1 -- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, -- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 -- Resolves RHBZ#1951621 (make FIPS always available) -- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093 -- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399 -- Resolves: RHBZ#1993927 (make FIPS always available) - -* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3 -- Resolves CVE-2021-23362 CVE-2021-27290 -- Resolves: RHBZ#1991584, RHBZ#1991578 -- Add missing CVE trackers - -* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2 -- Resolves: RHBZ#1980031, RHBZ#1978201 -- Fix typo, BR systemtap-sdt-level always, remove y18n patch - -* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1 -- Resolves: RHBZ#1980031, RHBZ#1978201 -- Resolves #1952915 -- Resolves CVE-2021-22918(libuv), use system cipher list - -* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1 -- Resolves: RHBZ#1932316, RHBZ#1932365 -- remove --debug-nghttp2 option -- remove ini patch -- Backport patch to use getauxval - * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1 - Security rebase for January security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ -- Resolves: RHBZ#1913000, RHBZ#1912952 -- Resolves: RHBZ#1912635, RHBZ#1893984 +- Resolves: RHBZ#1916460, RHBZ#1914786 +- Resolves: RHBZ#1914784, RHBZ#1916396 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1 -- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765 +- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047 - c-ares, ajv and y18n CVEs and yarn installability issues * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2 diff --git a/sources b/sources index fde8492..9c04416 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA1 (icu4c-67_1-src.tgz) = 6822a4a94324d1ba591b3e8ef084e4491af253c1 -SHA1 (node-v12.22.5-stripped.tar.gz) = bb98afb22215e659a77853964f7575da6b1535e3 +SHA1 (node-v12.20.1-stripped.tar.gz) = f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896