import nodejs-12.19.1-1.module+el8.3.0+8851+b7b41ca0

2020-12-15 11:06:34 -05:00 · 2020-12-15 11:06:34 -05:00 · b8a823347f
parent 5a0ed320d2
commit b8a823347f
6 changed files with 59 additions and 123 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.18.4-stripped.tar.gz
+SOURCES/node-v12.19.1-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz
+c838aed4904d8632d98d75deaa623b259d0f4c20 SOURCES/node-v12.19.1-stripped.tar.gz
--- a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+++ b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
@ -1,106 +0,0 @@
-From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001
-From: Marco Carini <cmdcarini@gmail.com>
-Date: Mon, 3 Aug 2020 17:16:07 -0500
-Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
-
-Adjusted from
-https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
- deps/npm/node_modules/dot-prop/package.json |  6 +++---
- deps/npm/node_modules/dot-prop/readme.md    |  2 ++
- 3 files changed, 23 insertions(+), 3 deletions(-)
-
-diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
-index 15282bb..189831c 100644
--- a/deps/npm/node_modules/dot-prop/index.js
-+++ b/deps/npm/node_modules/dot-prop/index.js
-@@ -1,6 +1,14 @@
- 'use strict';
- const isObj = require('is-obj');
- 
-+const disallowedKeys = [
-+	'__proto__',
-+	'prototype',
-+	'constructor'
-+];
-+
-+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
-+
- function getPathSegments(path) {
- 	const pathArr = path.split('.');
- 	const parts = [];
-@@ -16,6 +24,10 @@ function getPathSegments(path) {
- 		parts.push(p);
- 	}
- 
-+	if (!isValidPath(parts)) {
-+		return [];
-+	}
-+
- 	return parts;
- }
- 
-@@ -26,6 +38,9 @@ module.exports = {
- 		}
- 
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
-@@ -58,6 +73,9 @@ module.exports = {
- 
- 		const root = obj;
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			const p = pathArr[i];
-diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
-index 40fefa3..93daf7d 100644
--- a/deps/npm/node_modules/dot-prop/package.json
-+++ b/deps/npm/node_modules/dot-prop/package.json
-@@ -37,9 +37,9 @@
-   "deprecated": false,
-   "description": "Get, set, or delete a property from a nested object using a dot path",
-   "devDependencies": {
-    "ava": "*",
-+    "ava": "1.4.1",
-     "matcha": "^0.7.0",
-    "xo": "*"
-+    "xo": "0.24.0"
-   },
-   "engines": {
-     "node": ">=4"
-@@ -73,7 +73,7 @@
-     "bench": "matcha bench.js",
-     "test": "xo && ava"
-   },
-  "version": "4.2.0",
-+  "version": "4.2.1",
-   "xo": {
-     "esnext": true
-   }
-diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
-index fab3b7a..0e18f78 100644
--- a/deps/npm/node_modules/dot-prop/readme.md
-+++ b/deps/npm/node_modules/dot-prop/readme.md
-@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
- 
- Use `\\.` if you have a `.` in the key.
- 
-+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
-+
- #### value
- 
- Type: `any`
-- 
-2.26.2
-
--- a/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
+++ b/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
@ -0,0 +1,24 @@
+From 8ba0309b6c0c976241f5db056b344260acf674d9 Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
+Date: Fri, 30 Oct 2020 13:51:33 +0100
+Subject: [PATCH] CVE-2020-15366-nodejs-ajv-ignore-proto-properties
+
+---
+ deps/npm/node_modules/ajv/lib/dot/dependencies.jst | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
+index c41f334224..7403105d4b 100644
+--- a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
+++ b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
+@@ -19,6 +19,7 @@
+     , $ownProperties = it.opts.ownProperties;
+ 
+   for ($property in $schema) {
+    if ($property == '__proto__') continue;
+     var $sch = $schema[$property];
+     var $deps = Array.isArray($sch) ? $propertyDeps : $schemaDeps;
+     $deps[$property] = $sch;
+-- 
+2.26.2
+
--- a/SOURCES/0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
+  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -18,7 +18,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 18
-%global nodejs_patch 4
+%global nodejs_minor 19
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -75,7 +75,7 @@

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 38
+%global libuv_minor 39
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}

@ -106,13 +106,13 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 6
+%global npm_patch 8
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 9
+%global uvwasi_patch 10
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}

 # histogram_c - assumed from timestamps
@ -124,7 +124,7 @@
 # brotli - from deps/brotli/c/common/version.h
 %global brotli_major 1
 %global brotli_minor 0
-%global brotli_patch 7
+%global brotli_patch 9
 %global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}

 # In order to avoid needing to keep incrementing the release version for the
@ -167,8 +167,9 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif

-# Fix for CVE-2020-8116
-Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+# Fixes for CVEs
+Patch4: 0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
+Patch5: 0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

 BuildRequires: python2-devel
 BuildRequires: python3-devel
@ -492,9 +493,9 @@ export LDFLAGS="%{build_ldflags}"
           --with-icu-default-data-dir=%{icudatadir} \
           --debug-nghttp2 \
           --openssl-use-def-ca-store
-%endif # if bootstrap
+%endif

-%else # if shared_brotli == 0
+%else

 %if %{with bootstrap}
 ./configure --prefix=%{_prefix} \
@ -515,7 +516,7 @@ export LDFLAGS="%{build_ldflags}"
           --with-icu-default-data-dir=%{icudatadir} \
           --debug-nghttp2 \
           --openssl-use-def-ca-store
-%endif # if bootstrap
+%endif

 %endif

@ -867,8 +868,12 @@ end


 %changelog
+* Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
+- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
+- c-ares, ajv and y18n CVEs and yarn installability issues
+
 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
- Resolves: RHBZ#1883966 - nodejs-devel not installable due to missing brotli
+- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli
 - Some spec fixes

 * Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-1
@ -881,11 +886,11 @@ end
 - Rebase
 - Spec clean up
 - Provide i18n package, bundle icu
- Resolves: RHBZ#1845310, RHBZ#1845691
+- Resolves: RHBZ#1845311, RHBZ#1845692

 * Thu Jun 18 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.0-1
 - Security update to 12.18.0
- Resolves: RHBZ#1845310, RHBZ#1845691
+- Resolves: RHBZ#1845311, RHBZ#1845692

 * Tue Mar 17 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.16.1-2
 - Fix CVE-2020-10531