import nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd

2021-12-15 09:49:14 +00:00 · 2021-12-15 09:49:14 +00:00 · b73b1e76e3
parent f62bbd7515
commit b73b1e76e3
3 changed files with 155 additions and 1 deletions
--- a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
+++ b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
@ -0,0 +1,74 @@
+From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 9 Dec 2021 15:48:46 +0100
+Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
+
+This is the upstream fix [1] applied to all applicable bundled deps.
+
+[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
+
+Fixes: CVE-2021-3807
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js    | 2 +-
+ .../node_modules/string-width/node_modules/ansi-regex/index.js  | 2 +-
+ .../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +-
+ deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js    | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+index c4aaecf..7d32201 100644
+--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+@@ -2,7 +2,7 @@
+ 
+ module.exports = () => {
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+-- 
+2.33.1
+
+
--- a/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch
+++ b/SOURCES/0002-deps-json-schema-protect-against-prototype-pollution.patch
@ -0,0 +1,73 @@
+From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 9 Dec 2021 13:01:08 +0100
+Subject: [PATCH] deps(json-schema): protect against prototype pollution
+
+Amalgamation of the following upstream patches:
+https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
+https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
+https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
+
+Fixes: CVE-2021-3918
+Signed-off-by: rpm-build <rpm-build>
+---
+ .../node_modules/json-schema/lib/validate.js  |  4 +--
+ .../node_modules/json-schema/test/tests.js    | 28 ++++++++++++++++++-
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
+index 4b61088..d05ee86 100644
+--- a/deps/npm/node_modules/json-schema/lib/validate.js
+++ b/deps/npm/node_modules/json-schema/lib/validate.js
+@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
+ 			}
+ 
+ 			for(var i in objTypeDef){
+-				if(objTypeDef.hasOwnProperty(i)){
+-					var value = instance[i];
+				if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
+					var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
+ 					// skip _not_ specified properties
+ 					if (value === undefined && options.existingOnly) continue;
+ 					var propDef = objTypeDef[i];
+diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
+index 40eeda5..70f515a 100644
+--- a/deps/npm/node_modules/json-schema/test/tests.js
+++ b/deps/npm/node_modules/json-schema/test/tests.js
+@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
+ 
+     'Json-Ref self-validates': assertSelfValidates('json-ref'),
+     'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
+-    'Json-Ref/Core': assertValidates('json-ref', 'schema')
+    'Json-Ref/Core': assertValidates('json-ref', 'schema'),
+    prototypePollution: function() {
+        console.log('testing')
+        const instance = JSON.parse(`
+        {
+        "$schema":{
+            "type": "object",
+            "properties":{
+            "__proto__": {
+                "type": "object",
+                
+                "properties":{
+                "polluted": {
+                    "type": "string",
+                    "default": "polluted"
+                }
+                }
+            }
+            },
+            "__proto__": {}
+        }
+        }`);
+                                            
+        const a = {};
+        validate(instance);
+        assert.equal(a.polluted, undefined);
+    }
+ }).export(module);
+-- 
+2.33.1
+
+
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -15,7 +15,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -169,6 +169,9 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 # https://github.com/nodejs/node/issues/34903
 Patch3: 0004-always-available-fips-options.patch

+Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
+Patch5: 0002-deps-json-schema-protect-against-prototype-pollution.patch
+
 BuildRequires: make
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@ -826,6 +829,10 @@ end


 %changelog
+* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
+- Add missing fixes
+- Resolves: RHBZ#2027642, RHBZ#2027635
+
 * Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
 - Resolves: RHBZ#2027609
 - Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635