Import rpm: 5f3231ffa3973cb363730af5f8847502649183c7

2023-02-23 13:02:28 -05:00 · 2023-02-23 13:02:28 -05:00 · a4a034c5de
commit a4a034c5de
parent 3abc566790
6 changed files with 139 additions and 61 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.22.5-stripped.tar.gz
+SOURCES/node-v12.20.1-stripped.tar.gz
--- a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
+  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
--- a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = {}
+        return
+      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
+      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
+      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+  foo: 'baz',
+  other: {
+    foo: 'asdf',
+  },
+  kid: {
+    foo: {
+      foo: 'kid',
+    },
+  },
+  arrproto: {
+    hello: 'snyk',
+    thanks: true,
+  },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
--- a/nodejs-tarball.sh
+++ b/nodejs-tarball.sh
@ -185,19 +185,15 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
-echo "npm"
-echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
-echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
-echo "brotli"
+echo "npm"
 echo "========================="
-grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
+grep "\"version\":" node-v${version}/deps/npm/package.json
 echo
 echo "Make sure these versions match what is in the RPM spec file"

--- a/nodejs.spec
+++ b/nodejs.spec
@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 22
-%global nodejs_patch 5
+%global nodejs_minor 20
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -57,8 +57,8 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
-%global c_ares_minor 17
-%global c_ares_patch 2
+%global c_ares_minor 16
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}

 # http-parser - from deps/http_parser/http_parser.h
@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 14
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -167,16 +167,12 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif

-# Upstream patch to use getauxval
-Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

-# Make FIPS always available
-#  https://github.com/nodejs/node/issues/34903
-Patch4: 0004-always-available-fips-options.patch
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch

-Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
-
-BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -188,13 +184,13 @@ BuildRequires: gcc-c++ >= 6.3.0
 BuildRequires: nodejs-packaging
 BuildRequires: chrpath
 BuildRequires: libatomic
-BuildRequires: systemtap-sdt-devel

 %if %{with bootstrap}
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(libuv) = %{libuv_version}
 Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
+BuildRequires: systemtap-sdt-devel
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@ -458,6 +454,7 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-brotli \
 #           --without-dtrace \
 #           --with-intl=small-icu \
+#           --debug-nghttp2 \
 #           --openssl-use-def-ca-store
 #%else
 #./configure --prefix=%{_prefix} \
@ -467,6 +464,7 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-zlib \
 #           --shared-brotli \
 #           --shared-libuv \
+#           --shared-nghttp2 \
 #           --with-dtrace \
 #           --with-intl=%{icu_flag} \
 #           --with-icu-default-data-dir=%{icudatadir} \
@ -483,8 +481,8 @@ export LDFLAGS="%{build_ldflags}"
           --shared-brotli \
           --without-dtrace \
           --with-intl=small-icu \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
           --shared-openssl \
@ -495,8 +493,8 @@ export LDFLAGS="%{build_ldflags}"
           --with-dtrace \
           --with-intl=%{icu_flag} \
           --with-icu-default-data-dir=%{icudatadir} \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %endif

 %else
@ -507,8 +505,8 @@ export LDFLAGS="%{build_ldflags}"
           --shared-zlib \
           --without-dtrace \
           --with-intl=small-icu \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
           --shared-openssl \
@ -518,8 +516,8 @@ export LDFLAGS="%{build_ldflags}"
           --with-dtrace \
           --with-intl=%{icu_flag} \
           --with-icu-default-data-dir=%{icudatadir} \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %endif

 %endif
@ -872,42 +870,14 @@ end


 %changelog
-* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves RHBZ#1951621 (make FIPS always available)
- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
- Resolves: RHBZ#1993927 (make FIPS always available)
-
-* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
- Resolves CVE-2021-23362 CVE-2021-27290
- Resolves: RHBZ#1991584, RHBZ#1991578
- Add missing CVE trackers
-
-* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
- Resolves: RHBZ#1980031, RHBZ#1978201
- Fix typo, BR systemtap-sdt-level always, remove y18n patch
-
-* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
- Resolves: RHBZ#1980031, RHBZ#1978201
- Resolves #1952915
- Resolves CVE-2021-22918(libuv), use system cipher list
-
-* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
- Resolves: RHBZ#1932316, RHBZ#1932365
- remove --debug-nghttp2 option
- remove ini patch
- Backport patch to use getauxval
-
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- Resolves: RHBZ#1913000, RHBZ#1912952
- Resolves: RHBZ#1912635, RHBZ#1893984
+- Resolves: RHBZ#1916460, RHBZ#1914786
+- Resolves: RHBZ#1914784, RHBZ#1916396

 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765
+- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
 - c-ares, ajv and y18n CVEs and yarn installability issues

 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA1 (icu4c-67_1-src.tgz) = 6822a4a94324d1ba591b3e8ef084e4491af253c1
-SHA1 (node-v12.22.5-stripped.tar.gz) = bb98afb22215e659a77853964f7575da6b1535e3
+SHA1 (node-v12.20.1-stripped.tar.gz) = f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896