rpms/nodejs
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Import rpm: 5f3231ffa3973cb363730af5f8847502649183c7

Browse Source
This commit is contained in:
James Antill 2023-02-23 13:02:28 -05:00
parent 3abc566790
commit a4a034c5de
6 changed files with 139 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-67_1-src.tgz SOURCES/icu4c-67_1-src.tgz
SOURCES/node-v12.22.5-stripped.tar.gz SOURCES/node-v12.20.1-stripped.tar.gz

13
0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
index d720681628..727362aac0 100644
--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
// internal stuff.
- this.cache = {}
+ this.cache = Object.create(null)
this.writeQueue = []
}

99
0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch Normal file
View File

@ -0,0 +1,99 @@
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 8 Dec 2020 14:21:50 -0800
Subject: [PATCH] do not allow invalid hazardous string as section name
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/ini/ini.js | 8 +++++
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 deps/npm/node_modules/ini/test/proto.js
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
+ if (section === '__proto__') {
+ // not allowed
+ // keep parsing the section, but don't attach it.
+ p = {}
+ return
+ }
p = out[section] = out[section] || {}
return
}
@@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
+ if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
+ if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
new file mode 100644
index 0000000..ab35533
--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+ foo: 'baz',
+ other: {
+ foo: 'asdf',
+ },
+ kid: {
+ foo: {
+ foo: 'kid',
+ },
+ },
+ arrproto: {
+ hello: 'snyk',
+ thanks: true,
+ },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
--
2.29.2

8
nodejs-tarball.sh
View File

@ -185,19 +185,15 @@ echo "punycode"
echo "=========================" echo "========================="
grep "'version'" node-v${version}/lib/punycode.js grep "'version'" node-v${version}/lib/punycode.js
echo echo
echo "npm"
echo "========================="
grep "\"version\":" node-v${version}/deps/npm/package.json
echo
echo "uvwasi" echo "uvwasi"
echo "=========================" echo "========================="
grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
echo echo
echo "brotli" echo "npm"
echo "=========================" echo "========================="
grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h grep "\"version\":" node-v${version}/deps/npm/package.json
echo echo
echo "Make sure these versions match what is in the RPM spec file" echo "Make sure these versions match what is in the RPM spec file"

76
nodejs.spec
View File

@ -29,8 +29,8 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 12 %global nodejs_major 12
%global nodejs_minor 22 %global nodejs_minor 20
%global nodejs_patch 5 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1 %if %{?with_libs} == 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -57,8 +57,8 @@
# c-ares - from deps/cares/include/ares_version.h # c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_major 1 %global c_ares_major 1
%global c_ares_minor 17 %global c_ares_minor 16
%global c_ares_patch 2 %global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
# http-parser - from deps/http_parser/http_parser.h # http-parser - from deps/http_parser/http_parser.h
@ -106,7 +106,7 @@
%global npm_epoch 1 %global npm_epoch 1
%global npm_major 6 %global npm_major 6
%global npm_minor 14 %global npm_minor 14
%global npm_patch 14 %global npm_patch 10
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -167,16 +167,12 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-Install-both-binaries-and-use-libdir.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif %endif
# Upstream patch to use getauxval # CVE-2020-7774
Patch3: 0003-src-use-getauxval-in-node_main.cc.patch Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
# Make FIPS always available # CVE-2020-7788
# https://github.com/nodejs/node/issues/34903 Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
Patch4: 0004-always-available-fips-options.patch
Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
BuildRequires: make
BuildRequires: python2-devel BuildRequires: python2-devel
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -188,13 +184,13 @@ BuildRequires: gcc-c++ >= 6.3.0
BuildRequires: nodejs-packaging BuildRequires: nodejs-packaging
BuildRequires: chrpath BuildRequires: chrpath
BuildRequires: libatomic BuildRequires: libatomic
BuildRequires: systemtap-sdt-devel
%if %{with bootstrap} %if %{with bootstrap}
Provides: bundled(http-parser) = %{http_parser_version} Provides: bundled(http-parser) = %{http_parser_version}
Provides: bundled(libuv) = %{libuv_version} Provides: bundled(libuv) = %{libuv_version}
Provides: bundled(nghttp2) = %{nghttp2_version} Provides: bundled(nghttp2) = %{nghttp2_version}
%else %else
BuildRequires: systemtap-sdt-devel
BuildRequires: libuv-devel >= 1:%{libuv_version} BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version}
BuildRequires: libnghttp2-devel >= %{nghttp2_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@ -458,6 +454,7 @@ export LDFLAGS="%{build_ldflags}"
# --shared-brotli \ # --shared-brotli \
# --without-dtrace \ # --without-dtrace \
# --with-intl=small-icu \ # --with-intl=small-icu \
# --debug-nghttp2 \
# --openssl-use-def-ca-store # --openssl-use-def-ca-store
#%else #%else
#./configure --prefix=%{_prefix} \ #./configure --prefix=%{_prefix} \
@ -467,6 +464,7 @@ export LDFLAGS="%{build_ldflags}"
# --shared-zlib \ # --shared-zlib \
# --shared-brotli \ # --shared-brotli \
# --shared-libuv \ # --shared-libuv \
# --shared-nghttp2 \
# --with-dtrace \ # --with-dtrace \
# --with-intl=%{icu_flag} \ # --with-intl=%{icu_flag} \
# --with-icu-default-data-dir=%{icudatadir} \ # --with-icu-default-data-dir=%{icudatadir} \
@ -483,8 +481,8 @@ export LDFLAGS="%{build_ldflags}"
--shared-brotli \ --shared-brotli \
--without-dtrace \ --without-dtrace \
--with-intl=small-icu \ --with-intl=small-icu \
--openssl-use-def-ca-store \ --debug-nghttp2 \
--openssl-default-cipher-list=PROFILE=SYSTEM --openssl-use-def-ca-store
%else %else
./configure --prefix=%{_prefix} \ ./configure --prefix=%{_prefix} \
--shared-openssl \ --shared-openssl \
@ -495,8 +493,8 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \ --with-dtrace \
--with-intl=%{icu_flag} \ --with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \ --with-icu-default-data-dir=%{icudatadir} \
--openssl-use-def-ca-store \ --debug-nghttp2 \
--openssl-default-cipher-list=PROFILE=SYSTEM --openssl-use-def-ca-store
%endif %endif
%else %else
@ -507,8 +505,8 @@ export LDFLAGS="%{build_ldflags}"
--shared-zlib \ --shared-zlib \
--without-dtrace \ --without-dtrace \
--with-intl=small-icu \ --with-intl=small-icu \
--openssl-use-def-ca-store \ --debug-nghttp2 \
--openssl-default-cipher-list=PROFILE=SYSTEM --openssl-use-def-ca-store
%else %else
./configure --prefix=%{_prefix} \ ./configure --prefix=%{_prefix} \
--shared-openssl \ --shared-openssl \
@ -518,8 +516,8 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \ --with-dtrace \
--with-intl=%{icu_flag} \ --with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \ --with-icu-default-data-dir=%{icudatadir} \
--openssl-use-def-ca-store \ --debug-nghttp2 \
--openssl-default-cipher-list=PROFILE=SYSTEM --openssl-use-def-ca-store
%endif %endif
%endif %endif
@ -872,42 +870,14 @@ end
%changelog %changelog
* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves RHBZ#1951621 (make FIPS always available)
- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
- Resolves: RHBZ#1993927 (make FIPS always available)
* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
- Resolves CVE-2021-23362 CVE-2021-27290
- Resolves: RHBZ#1991584, RHBZ#1991578
- Add missing CVE trackers
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
- Resolves: RHBZ#1980031, RHBZ#1978201
- Fix typo, BR systemtap-sdt-level always, remove y18n patch
* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
- Resolves: RHBZ#1980031, RHBZ#1978201
- Resolves #1952915
- Resolves CVE-2021-22918(libuv), use system cipher list
* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
- Resolves: RHBZ#1932316, RHBZ#1932365
- remove --debug-nghttp2 option
- remove ini patch
- Backport patch to use getauxval
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
- Security rebase for January security release - Security rebase for January security release
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- Resolves: RHBZ#1913000, RHBZ#1912952 - Resolves: RHBZ#1916460, RHBZ#1914786
- Resolves: RHBZ#1912635, RHBZ#1893984 - Resolves: RHBZ#1914784, RHBZ#1916396
* Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765 - Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
- c-ares, ajv and y18n CVEs and yarn installability issues - c-ares, ajv and y18n CVEs and yarn installability issues
* Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2

2
sources
View File

@ -1,2 +1,2 @@
SHA1 (icu4c-67_1-src.tgz) = 6822a4a94324d1ba591b3e8ef084e4491af253c1 SHA1 (icu4c-67_1-src.tgz) = 6822a4a94324d1ba591b3e8ef084e4491af253c1
SHA1 (node-v12.22.5-stripped.tar.gz) = bb98afb22215e659a77853964f7575da6b1535e3 SHA1 (node-v12.20.1-stripped.tar.gz) = f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896