From a4f1a01202e8728a233e14c7e2202776158457ed Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Jun 2022 07:48:34 -0400 Subject: [PATCH] import nodejs-12.22.12-1.module+el8.6.0+15324+1f2c5d8d --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...005-CVE-2021-23343-nodejs-path-parse.patch | 180 ------------------ SPECS/nodejs.spec | 40 ++-- 4 files changed, 25 insertions(+), 199 deletions(-) delete mode 100644 SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch diff --git a/.gitignore b/.gitignore index d8fc543..fd2a6fe 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.22.5-stripped.tar.gz +SOURCES/node-v12.22.12-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index c0867c1..2416ae1 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -bb98afb22215e659a77853964f7575da6b1535e3 SOURCES/node-v12.22.5-stripped.tar.gz +49c907b1445701724914a0571bf6be62a25583af SOURCES/node-v12.22.12-stripped.tar.gz diff --git a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch deleted file mode 100644 index 201721d..0000000 --- a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch +++ /dev/null @@ -1,180 +0,0 @@ -https://github.com/jbgutierrez/path-parse/pull/10 - -From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 10:53:50 -0400 -Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 6 +++--- - deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ - 2 files changed, 23 insertions(+), 3 deletions(-) - create mode 100644 deps/npm/node_modules/path-parse/redos.js - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index 3b7601f..e6b2af1 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; - // Regex to split a windows path into three parts: [*, device, slash, - // tail] windows-only - var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; -+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; - - // Regex to split the tail part of the above into [*, dir, basename, ext] - var splitTailRe = -- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; - - var win32 = {}; - -@@ -51,7 +51,7 @@ win32.parse = function(pathString) { - // Split a filename into [root, dir, basename, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; - var posix = {}; - - -diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js -new file mode 100644 -index 0000000..261947f ---- /dev/null -+++ b/deps/npm/node_modules/path-parse/redos.js -@@ -0,0 +1,20 @@ -+var pathParse = require('.'); -+ -+function build_attack(n) { -+ var ret = "" -+ for (var i = 0; i < n; i++) { -+ ret += "/" -+ } -+ return ret + "◎"; -+} -+ -+for(var i = 1; i <= 5000000; i++) { -+ if (i % 10000 == 0) { -+ var time = Date.now(); -+ var attack_str = build_attack(i) -+ pathParse.posix(attack_str); -+ pathParse.win32(attack_str); -+ var time_cost = Date.now() - time; -+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") -+ } -+} --- -2.31.1 - - -From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 11:51:45 -0400 -Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- - 1 file changed, 17 insertions(+), 35 deletions(-) - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index e6b2af1..f062d0a 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -2,29 +2,14 @@ - - var isWindows = process.platform === 'win32'; - --// Regex to split a windows path into three parts: [*, device, slash, --// tail] windows-only --var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; -- --// Regex to split the tail part of the above into [*, dir, basename, ext] --var splitTailRe = -- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+// Regex to split a windows path into into [dir, root, basename, name, ext] -+var splitWindowsRe = -+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; - - var win32 = {}; - --// Function to split a filename into [root, dir, basename, ext] - function win32SplitPath(filename) { -- // Separate device+slash from tail -- var result = splitDeviceRe.exec(filename), -- device = (result[1] || '') + (result[2] || ''), -- tail = result[3] || ''; -- // Split the tail into dir, basename and extension -- var result2 = splitTailRe.exec(tail), -- dir = result2[1], -- basename = result2[2], -- ext = result2[3]; -- return [device, dir, basename, ext]; -+ return splitWindowsRe.exec(filename).slice(1); - } - - win32.parse = function(pathString) { -@@ -34,24 +19,24 @@ win32.parse = function(pathString) { - ); - } - var allParts = win32SplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3] - }; - }; - - - --// Split a filename into [root, dir, basename, ext], unix version -+// Split a filename into [dir, root, basename, name, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; - var posix = {}; - - -@@ -67,19 +52,16 @@ posix.parse = function(pathString) { - ); - } - var allParts = posixSplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } -- allParts[1] = allParts[1] || ''; -- allParts[2] = allParts[2] || ''; -- allParts[3] = allParts[3] || ''; -- -+ - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3], - }; - }; - --- -2.31.1 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 28a459a..76271b4 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -30,7 +30,7 @@ %global nodejs_epoch 1 %global nodejs_major 12 %global nodejs_minor 22 -%global nodejs_patch 5 +%global nodejs_patch 12 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -57,8 +57,8 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 +%global c_ares_minor 18 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -70,7 +70,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 3 +%global llhttp_patch 4 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -106,7 +106,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 14 +%global npm_patch 16 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -174,8 +174,6 @@ Patch3: 0003-src-use-getauxval-in-node_main.cc.patch # https://github.com/nodejs/node/issues/34903 Patch4: 0004-always-available-fips-options.patch -Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch - BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel @@ -467,6 +465,7 @@ export LDFLAGS="%{build_ldflags}" # --shared-zlib \ # --shared-brotli \ # --shared-libuv \ +# --shared-nghttp2 \ # --with-dtrace \ # --with-intl=%{icu_flag} \ # --with-icu-default-data-dir=%{icudatadir} \ @@ -872,30 +871,37 @@ end %changelog +* Mon May 16 2022 Zuzana Svetlikova - 1:12.22.12-1 +- Resolves: RHBZ#2084651 +- Resolves: #2086773, #2086777, #2086781, #2086786, #2086790 +- Resolves: #2086795, #2086799, #2086804, #2086809, #2086813 +- Rebase to last v12.x release +- Remove patch for CVE-2021-23343 + * Mon Aug 16 2021 Zuzana Svetlikova - 1:12.22.5-1 - Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, -- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 -- Resolves RHBZ#1951621 (make FIPS always available) -- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093 -- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399 -- Resolves: RHBZ#1993927 (make FIPS always available) +- Resolves CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 +- Resolves: RHBZ#1951621 (make FIPS always available) +- Resolves: RHBZ#1988596, RHBZ#1993814, RHBZ#1993808, RHBZ#1993094 +- Resolves: RHBZ#1986742, RHBZ#1993946, RHBZ#1993939, RHBZ#1989426 * Mon Aug 09 2021 Zuzana Svetlikova - 1:12.22.3-3 - Resolves CVE-2021-23362 CVE-2021-27290 -- Resolves: RHBZ#1991584, RHBZ#1991578 +- Resolves: RHBZ#1945512, RHBZ#1945286 - Add missing CVE trackers * Thu Jul 08 2021 Zuzana Svetlikova - 1:12.22.3-2 -- Resolves: RHBZ#1980031, RHBZ#1978201 +- Resolves: RHBZ#1979843, RHBZ#1977759 +- Resolves: RHBz#1952915 - Fix typo, BR systemtap-sdt-level always, remove y18n patch * Wed Jul 07 2021 Zuzana Svetlikova - 1:12.22.3-1 -- Resolves: RHBZ#1980031, RHBZ#1978201 -- Resolves #1952915 +- Resolves: RHBZ#1979843, RHBZ#1977759 +- Resolves: RHBz#1952915 - Resolves CVE-2021-22918(libuv), use system cipher list * Tue Mar 02 2021 Zuzana Svetlikova - 1:12.21.0-1 -- Resolves: RHBZ#1932316, RHBZ#1932365 +- Resolves: RHBZ#1934566, RHBZ#1934598 - remove --debug-nghttp2 option - remove ini patch - Backport patch to use getauxval