import UBI nodejs-18.19.1-1.module+el8.9.0+21387+21356dec

This commit is contained in:
eabdullin 2024-03-27 08:30:53 +00:00
parent dd9269f339
commit b69ad8e187
4 changed files with 101 additions and 12 deletions

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-73_2-src.tgz SOURCES/icu4c-73_2-src.tgz
SOURCES/node-v18.19.0-stripped.tar.gz SOURCES/node-v18.19.1-stripped.tar.gz
SOURCES/undici-5.26.4.tar.gz SOURCES/undici-5.28.3.tar.gz
SOURCES/wasi-sdk-11.0-linux.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz

View File

@ -1,5 +1,5 @@
36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz 164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
c69a172b2581c261302571428b05c10135df9744 SOURCES/node-v18.19.0-stripped.tar.gz 7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz
5c172763ce7f53f407172585e2460430bf2e9c2a SOURCES/undici-5.26.4.tar.gz b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz

View File

@ -0,0 +1,83 @@
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Fri, 23 Feb 2024 13:43:56 +0100
Subject: [PATCH] Disable FIPS options
On RHEL, FIPS should be configured only on system level.
Additionally, the related options may cause segfault when used on RHEL.
This patch causes the option processing to end sooner
than the problematic code gets executed.
Additionally, the JS-level options to mess with FIPS settings
are similarly disabled.
Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
Customer case: https://access.redhat.com/support/cases/#/case/03711488
---
lib/crypto.js | 10 ++++++++++
lib/internal/errors.js | 6 ++++++
src/crypto/crypto_util.cc | 2 ++
3 files changed, 18 insertions(+)
diff --git a/lib/crypto.js b/lib/crypto.js
index 41adecc..b2627ac 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -36,6 +36,9 @@ const {
assertCrypto();
const {
+ // RHEL specific error
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
ERR_CRYPTO_FIPS_FORCED,
} = require('internal/errors').codes;
const constants = internalBinding('constants').crypto;
@@ -251,6 +254,13 @@ function getFips() {
}
function setFips(val) {
+ // in RHEL FIPS enable/disable should only be done at system level
+ if (getFips() != val) {
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+ } else {
+ return;
+ }
+
if (getOptionValue('--force-fips')) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index a722360..04d8a53 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1060,6 +1060,12 @@ module.exports = {
//
// Note: Node.js specific errors must begin with the prefix ERR_
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+ Error);
+
E('ERR_ACCESS_DENIED',
'Access to this API has been restricted. Permission: %s',
Error);
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 5734d8f..ef9d1b1 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
--
2.43.2

View File

@ -42,7 +42,7 @@
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 18 %global nodejs_major 18
%global nodejs_minor 19 %global nodejs_minor 19
%global nodejs_patch 0 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 108 %global nodejs_soversion 108
@ -68,7 +68,7 @@
%global c_ares_version 1.20.1 %global c_ares_version 1.20.1
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 6.0.11 %global llhttp_version 6.1.0
# libuv - from deps/uv/include/uv/version.h # libuv - from deps/uv/include/uv/version.h
%global libuv_major 1 %global libuv_major 1
@ -132,7 +132,7 @@
# npm - from deps/npm/package.json # npm - from deps/npm/package.json
%global npm_epoch 1 %global npm_epoch 1
%global npm_version 10.2.3 %global npm_version 10.2.4
# In order to avoid needing to keep incrementing the release version for the # In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed # main package forever, we will just construct one for npm that is guaranteed
@ -141,7 +141,7 @@
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# Node.js 16.9.1 and later comes with an experimental package management tool # Node.js 16.9.1 and later comes with an experimental package management tool
%global corepack_version 0.10.0 %global corepack_version 0.22.0
# uvwasi - from deps/uvwasi/include/uvwasi.h # uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_version 0.0.19 %global uvwasi_version 0.0.19
@ -190,13 +190,14 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
# Version: jq '.version' deps/undici/src/package.json # Version: jq '.version' deps/undici/src/package.json
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.4.tar.gz # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
# Adjustments: rm -f undici-5.26.4/lib/llhttp/llhttp*.wasm # Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
# Build uses alpine image, see alpine for sources for wasi-sdk # Build uses alpine image, see alpine for sources for wasi-sdk
Source111: undici-5.26.4.tar.gz Source111: undici-5.28.3.tar.gz
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch3: nodejs-fips-disable-options.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -731,6 +732,11 @@ end
%changelog %changelog
* Wed Feb 21 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
- Rebase to version 18.19.1
- Fix FIPS handling of the cmd-line options (RHBZ#2226726)
- Resolves: RHEL-26691 RHEL-26016 RHEL-26648
* Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.0-1 * Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.0-1
- Rebase to version 18.19.0 - Rebase to version 18.19.0
- Resolves: RHEL-21439 - Resolves: RHEL-21439