import nodejs-14.18.2-2.module+el8.5.0+13644+8d46dafd
This commit is contained in:
parent
f62bbd7515
commit
b73b1e76e3
74
SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
Normal file
74
SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
Normal file
@ -0,0 +1,74 @@
|
||||
From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 9 Dec 2021 15:48:46 +0100
|
||||
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
|
||||
|
||||
This is the upstream fix [1] applied to all applicable bundled deps.
|
||||
|
||||
[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
|
||||
|
||||
Fixes: CVE-2021-3807
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js | 2 +-
|
||||
.../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +-
|
||||
.../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +-
|
||||
deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +-
|
||||
4 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
|
||||
index c254480..9e37ec3 100644
|
||||
--- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
|
||||
+++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
|
||||
@@ -6,7 +6,7 @@ module.exports = options => {
|
||||
}, options);
|
||||
|
||||
const pattern = [
|
||||
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
|
||||
].join('|');
|
||||
|
||||
diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
|
||||
index c4aaecf..7d32201 100644
|
||||
--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
|
||||
+++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
module.exports = () => {
|
||||
const pattern = [
|
||||
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
|
||||
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
|
||||
].join('|');
|
||||
|
||||
diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
|
||||
index c254480..9e37ec3 100644
|
||||
--- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
|
||||
+++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
|
||||
@@ -6,7 +6,7 @@ module.exports = options => {
|
||||
}, options);
|
||||
|
||||
const pattern = [
|
||||
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
|
||||
].join('|');
|
||||
|
||||
diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
|
||||
index c254480..9e37ec3 100644
|
||||
--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
|
||||
+++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
|
||||
@@ -6,7 +6,7 @@ module.exports = options => {
|
||||
}, options);
|
||||
|
||||
const pattern = [
|
||||
- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
|
||||
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
|
||||
].join('|');
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
@ -0,0 +1,73 @@
|
||||
From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 9 Dec 2021 13:01:08 +0100
|
||||
Subject: [PATCH] deps(json-schema): protect against prototype pollution
|
||||
|
||||
Amalgamation of the following upstream patches:
|
||||
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
|
||||
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
|
||||
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
|
||||
|
||||
Fixes: CVE-2021-3918
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
.../node_modules/json-schema/lib/validate.js | 4 +--
|
||||
.../node_modules/json-schema/test/tests.js | 28 ++++++++++++++++++-
|
||||
2 files changed, 29 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
|
||||
index 4b61088..d05ee86 100644
|
||||
--- a/deps/npm/node_modules/json-schema/lib/validate.js
|
||||
+++ b/deps/npm/node_modules/json-schema/lib/validate.js
|
||||
@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
|
||||
}
|
||||
|
||||
for(var i in objTypeDef){
|
||||
- if(objTypeDef.hasOwnProperty(i)){
|
||||
- var value = instance[i];
|
||||
+ if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
|
||||
+ var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
|
||||
// skip _not_ specified properties
|
||||
if (value === undefined && options.existingOnly) continue;
|
||||
var propDef = objTypeDef[i];
|
||||
diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
|
||||
index 40eeda5..70f515a 100644
|
||||
--- a/deps/npm/node_modules/json-schema/test/tests.js
|
||||
+++ b/deps/npm/node_modules/json-schema/test/tests.js
|
||||
@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
|
||||
|
||||
'Json-Ref self-validates': assertSelfValidates('json-ref'),
|
||||
'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
|
||||
- 'Json-Ref/Core': assertValidates('json-ref', 'schema')
|
||||
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema'),
|
||||
+ prototypePollution: function() {
|
||||
+ console.log('testing')
|
||||
+ const instance = JSON.parse(`
|
||||
+ {
|
||||
+ "$schema":{
|
||||
+ "type": "object",
|
||||
+ "properties":{
|
||||
+ "__proto__": {
|
||||
+ "type": "object",
|
||||
+
|
||||
+ "properties":{
|
||||
+ "polluted": {
|
||||
+ "type": "string",
|
||||
+ "default": "polluted"
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ },
|
||||
+ "__proto__": {}
|
||||
+ }
|
||||
+ }`);
|
||||
+
|
||||
+ const a = {};
|
||||
+ validate(instance);
|
||||
+ assert.equal(a.polluted, undefined);
|
||||
+ }
|
||||
}).export(module);
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
@ -15,7 +15,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage thar
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -169,6 +169,9 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch
|
||||
# https://github.com/nodejs/node/issues/34903
|
||||
Patch3: 0004-always-available-fips-options.patch
|
||||
|
||||
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||
Patch5: 0002-deps-json-schema-protect-against-prototype-pollution.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -826,6 +829,10 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
|
||||
- Add missing fixes
|
||||
- Resolves: RHBZ#2027642, RHBZ#2027635
|
||||
|
||||
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
|
||||
- Resolves: RHBZ#2027609
|
||||
- Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635
|
||||
|
Loading…
Reference in New Issue
Block a user