import nodejs-12.19.1-1.module+el8.3.0+8851+b7b41ca0

2020-12-15 11:06:34 -05:00 · 2020-12-15 11:06:34 -05:00 · b8a823347f
commit b8a823347f
parent 5a0ed320d2
6 changed files with 59 additions and 123 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.18.4-stripped.tar.gz
+SOURCES/node-v12.19.1-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz
+c838aed4904d8632d98d75deaa623b259d0f4c20 SOURCES/node-v12.19.1-stripped.tar.gz
--- a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+++ b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
@ -1,106 +0,0 @@
 From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001
 From: Marco Carini <cmdcarini@gmail.com>
 Date: Mon, 3 Aug 2020 17:16:07 -0500
 Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
 Adjusted from
 https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
 deps/npm/node_modules/dot-prop/package.json |  6 +++---
 deps/npm/node_modules/dot-prop/readme.md    |  2 ++
 3 files changed, 23 insertions(+), 3 deletions(-)
 diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
 index 15282bb..189831c 100644
 --- a/deps/npm/node_modules/dot-prop/index.js
 +++ b/deps/npm/node_modules/dot-prop/index.js
@@ -1,6 +1,14 @@
 'use strict';
 const isObj = require('is-obj');
 +const disallowedKeys = [
 +	'__proto__',
 +	'prototype',
 +	'constructor'
 +];
 +
 +const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
 +
 function getPathSegments(path) {
 	const pathArr = path.split('.');
 	const parts = [];
@@ -16,6 +24,10 @@ function getPathSegments(path) {
 		parts.push(p);
 	}
 +	if (!isValidPath(parts)) {
 +		return [];
 +	}
 +
 	return parts;
 }
@@ -26,6 +38,9 @@ module.exports = {
 		}
 		const pathArr = getPathSegments(path);
 +		if (pathArr.length === 0) {
 +			return;
 +		}
 		for (let i = 0; i < pathArr.length; i++) {
 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
@@ -58,6 +73,9 @@ module.exports = {
 		const root = obj;
 		const pathArr = getPathSegments(path);
 +		if (pathArr.length === 0) {
 +			return;
 +		}
 		for (let i = 0; i < pathArr.length; i++) {
 			const p = pathArr[i];
 diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
 index 40fefa3..93daf7d 100644
 --- a/deps/npm/node_modules/dot-prop/package.json
 +++ b/deps/npm/node_modules/dot-prop/package.json
@@ -37,9 +37,9 @@
   "deprecated": false,
   "description": "Get, set, or delete a property from a nested object using a dot path",
   "devDependencies": {
 -    "ava": "*",
 +    "ava": "1.4.1",
     "matcha": "^0.7.0",
 -    "xo": "*"
 +    "xo": "0.24.0"
   },
   "engines": {
     "node": ">=4"
@@ -73,7 +73,7 @@
     "bench": "matcha bench.js",
     "test": "xo && ava"
   },
 -  "version": "4.2.0",
 +  "version": "4.2.1",
   "xo": {
     "esnext": true
   }
 diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
 index fab3b7a..0e18f78 100644
 --- a/deps/npm/node_modules/dot-prop/readme.md
 +++ b/deps/npm/node_modules/dot-prop/readme.md
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
 Use `\\.` if you have a `.` in the key.
 +The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
 +
 #### value
 Type: `any`
 -- 
 2.26.2
--- a/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
+++ b/SOURCES/0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
@ -0,0 +1,24 @@
 From 8ba0309b6c0c976241f5db056b344260acf674d9 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 30 Oct 2020 13:51:33 +0100
 Subject: [PATCH] CVE-2020-15366-nodejs-ajv-ignore-proto-properties
 ---
 deps/npm/node_modules/ajv/lib/dot/dependencies.jst | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
 index c41f334224..7403105d4b 100644
 --- a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
 +++ b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
@@ -19,6 +19,7 @@
     , $ownProperties = it.opts.ownProperties;
   for ($property in $schema) {
 +    if ($property == '__proto__') continue;
     var $sch = $schema[$property];
     var $deps = Array.isArray($sch) ? $propertyDeps : $schemaDeps;
     $deps[$property] = $sch;
 -- 
 2.26.2
--- a/SOURCES/0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
 diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
 index d720681628..727362aac0 100644
 --- a/deps/npm/node_modules/y18n/index.js
 +++ b/deps/npm/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
   // internal stuff.
 -  this.cache = {}
 +  this.cache = Object.create(null)
   this.writeQueue = []
 }
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -18,7 +18,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 18
+%global nodejs_minor 19
-%global nodejs_patch 4
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -75,7 +75,7 @@
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 38
+%global libuv_minor 39
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@ -106,13 +106,13 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 6
+%global npm_patch 8
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 9
+%global uvwasi_patch 10
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 # histogram_c - assumed from timestamps
@ -124,7 +124,7 @@
 # brotli - from deps/brotli/c/common/version.h
 %global brotli_major 1
 %global brotli_minor 0
-%global brotli_patch 7
+%global brotli_patch 9
 %global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}
 # In order to avoid needing to keep incrementing the release version for the
@ -167,8 +167,9 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
-# Fix for CVE-2020-8116
+# Fixes for CVEs
-Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+Patch4: 0004-CVE-2020-15366-nodejs-ajv-ignore-proto-properties.patch
 Patch5: 0005-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
 BuildRequires: python2-devel
 BuildRequires: python3-devel
@ -492,9 +493,9 @@ export LDFLAGS="%{build_ldflags}"
           --with-icu-default-data-dir=%{icudatadir} \
           --debug-nghttp2 \
           --openssl-use-def-ca-store
-%endif # if bootstrap
+%endif
-%else # if shared_brotli == 0
+%else
 %if %{with bootstrap}
 ./configure --prefix=%{_prefix} \
@ -515,7 +516,7 @@ export LDFLAGS="%{build_ldflags}"
           --with-icu-default-data-dir=%{icudatadir} \
           --debug-nghttp2 \
           --openssl-use-def-ca-store
-%endif # if bootstrap
+%endif
 %endif
@ -867,8 +868,12 @@ end
 %changelog
 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
 - Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
 - c-ares, ajv and y18n CVEs and yarn installability issues
 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
- Resolves: RHBZ#1883966 - nodejs-devel not installable due to missing brotli
+- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli
 - Some spec fixes
 * Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-1
@ -881,11 +886,11 @@ end
 - Rebase
 - Spec clean up
 - Provide i18n package, bundle icu
- Resolves: RHBZ#1845310, RHBZ#1845691
+- Resolves: RHBZ#1845311, RHBZ#1845692
 * Thu Jun 18 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.0-1
 - Security update to 12.18.0
- Resolves: RHBZ#1845310, RHBZ#1845691
+- Resolves: RHBZ#1845311, RHBZ#1845692
 * Tue Mar 17 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.16.1-2
 - Fix CVE-2020-10531
`@ -1,2 +1,2 @@`
	`SOURCES/icu4c-67_1-src.tgz`	`SOURCES/icu4c-67_1-src.tgz`
	`SOURCES/node-v12.18.4-stripped.tar.gz`	`SOURCES/node-v12.19.1-stripped.tar.gz`
`@ -1,2 +1,2 @@`
	`6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz`	`6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz`
	`31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz`	`c838aed4904d8632d98d75deaa623b259d0f4c20 SOURCES/node-v12.19.1-stripped.tar.gz`