rpms
/
nodejs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c

This commit is contained in:
CentOS Sources 2021-01-19 08:11:33 +00:00 committed by Andrew Lukoshko
parent 50d49cd886
commit cb47b0e1d7
6 changed files with 217 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-67_1-src.tgz
SOURCES/node-v12.18.4-stripped.tar.gz
SOURCES/node-v12.20.1-stripped.tar.gz

2
.nodejs.metadata
View File

@ -1,2 +1,2 @@
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz
f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz

106
SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
View File

@ -1,106 +0,0 @@
From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001
From: Marco Carini <cmdcarini@gmail.com>
Date: Mon, 3 Aug 2020 17:16:07 -0500
Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
Adjusted from
https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++
deps/npm/node_modules/dot-prop/package.json | 6 +++---
deps/npm/node_modules/dot-prop/readme.md | 2 ++
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
index 15282bb..189831c 100644
--- a/deps/npm/node_modules/dot-prop/index.js
+++ b/deps/npm/node_modules/dot-prop/index.js
@@ -1,6 +1,14 @@
'use strict';
const isObj = require('is-obj');
+const disallowedKeys = [
+ '__proto__',
+ 'prototype',
+ 'constructor'
+];
+
+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
+
function getPathSegments(path) {
const pathArr = path.split('.');
const parts = [];
@@ -16,6 +24,10 @@ function getPathSegments(path) {
parts.push(p);
}
+ if (!isValidPath(parts)) {
+ return [];
+ }
+
return parts;
}
@@ -26,6 +38,9 @@ module.exports = {
}
const pathArr = getPathSegments(path);
+ if (pathArr.length === 0) {
+ return;
+ }
for (let i = 0; i < pathArr.length; i++) {
if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
@@ -58,6 +73,9 @@ module.exports = {
const root = obj;
const pathArr = getPathSegments(path);
+ if (pathArr.length === 0) {
+ return;
+ }
for (let i = 0; i < pathArr.length; i++) {
const p = pathArr[i];
diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
index 40fefa3..93daf7d 100644
--- a/deps/npm/node_modules/dot-prop/package.json
+++ b/deps/npm/node_modules/dot-prop/package.json
@@ -37,9 +37,9 @@
"deprecated": false,
"description": "Get, set, or delete a property from a nested object using a dot path",
"devDependencies": {
- "ava": "*",
+ "ava": "1.4.1",
"matcha": "^0.7.0",
- "xo": "*"
+ "xo": "0.24.0"
},
"engines": {
"node": ">=4"
@@ -73,7 +73,7 @@
"bench": "matcha bench.js",
"test": "xo && ava"
},
- "version": "4.2.0",
+ "version": "4.2.1",
"xo": {
"esnext": true
}
diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
index fab3b7a..0e18f78 100644
--- a/deps/npm/node_modules/dot-prop/readme.md
+++ b/deps/npm/node_modules/dot-prop/readme.md
@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
Use `\\.` if you have a `.` in the key.
+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
+
#### value
Type: `any`
--
2.26.2

13
SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
index d720681628..727362aac0 100644
--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
// internal stuff.
- this.cache = {}
+ this.cache = Object.create(null)
this.writeQueue = []
}

99
SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch Normal file
View File

@ -0,0 +1,99 @@
From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 8 Dec 2020 14:21:50 -0800
Subject: [PATCH] do not allow invalid hazardous string as section name
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/ini/ini.js | 8 +++++
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 deps/npm/node_modules/ini/test/proto.js
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
+ if (section === '__proto__') {
+ // not allowed
+ // keep parsing the section, but don't attach it.
+ p = {}
+ return
+ }
p = out[section] = out[section] || {}
return
}
@@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
+ if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
+ if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
new file mode 100644
index 0000000..ab35533
--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+ foo: 'baz',
+ other: {
+ foo: 'asdf',
+ },
+ kid: {
+ foo: {
+ foo: 'kid',
+ },
+ },
+ arrproto: {
+ hello: 'snyk',
+ thanks: true,
+ },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
--
2.29.2

142
SPECS/nodejs.spec
View File

@ -1,6 +1,10 @@
%global with_debug 0
%global with_libs 0
# set to 1 for RHEL >= 8.3
# RHBZ#1856776 - brotli needed for nodejs-devel is not available
%bcond_with shared_brotli
# PowerPC, s390x and aarch64 segfault during Debug builds
# https://github.com/nodejs/node/issues/20642
%ifarch %{power64} s390x aarch64
@ -25,8 +29,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 12
%global nodejs_minor 18
%global nodejs_patch 4
%global nodejs_minor 20
%global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -54,24 +58,24 @@
# https://github.com/nodejs/node/pull/9332
%global c_ares_major 1
%global c_ares_minor 16
%global c_ares_patch 0
%global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
# http-parser - from deps/http_parser/http_parser.h
%global http_parser_major 2
%global http_parser_minor 9
%global http_parser_patch 3
%global http_parser_patch 4
%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_major 2
%global llhttp_minor 1
%global llhttp_patch 2
%global llhttp_patch 3
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
%global libuv_minor 38
%global libuv_minor 40
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@ -102,13 +106,13 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 6
%global npm_patch 10
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_major 0
%global uvwasi_minor 0
%global uvwasi_patch 9
%global uvwasi_patch 11
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
# histogram_c - assumed from timestamps
@ -117,6 +121,12 @@
%global histogram_patch 7
%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
# brotli - from deps/brotli/c/common/version.h
%global brotli_major 1
%global brotli_minor 0
%global brotli_patch 9
%global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
# to increment safely. Changing this can only be done during an update when the
@ -157,13 +167,15 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif
# Fix for CVE-2020-8116
Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
# CVE-2020-7774
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
# CVE-2020-7788
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
BuildRequires: python2-devel
BuildRequires: python3-devel
BuildRequires: zlib-devel
BuildRequires: brotli-devel
BuildRequires: gcc >= 6.3.0
BuildRequires: gcc-c++ >= 6.3.0
# needed to generate bundled provides for npm dependencies
@ -183,12 +195,18 @@ BuildRequires: libuv-devel >= 1:%{libuv_version}
Requires: libuv >= 1:%{libuv_version}
BuildRequires: libnghttp2-devel >= %{nghttp2_version}
Requires: libnghttp2 >= %{nghttp2_version}
%endif
# Temporarily bundle http-parser and llhttp because the latter
# isn't packaged yet and they are controlled by the same
# configure flag.
Provides: bundled(http-parser) = %{http_parser_version}
Provides: bundled(llhttp) = %{llhttp_version}
%if %{with shared_brotli}
BuildRequires: brotli-devel
%else
Provides: bundled(brotli) = %{brotli_version}
%endif
BuildRequires: openssl-devel
@ -275,7 +293,9 @@ Group: Development/Languages
Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
Requires: openssl-devel%{?_isa}
Requires: zlib-devel%{?_isa}
%if %{with shared_brotli}
Requires: brotli-devel%{?_isa}
%endif
Requires: nodejs-packaging
%if %{with bootstrap}
@ -376,7 +396,9 @@ The API documentation for the Node.js JavaScript runtime.
# remove bundled dependencies that we aren't building
rm -rf deps/zlib
%if %{with shared_brotli}
rm -rf deps/brotli
%endif
# Replace any instances of unversioned python' with python2
pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js")
@ -420,34 +442,38 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')"
export LDFLAGS="%{build_ldflags}"
%if %{?with_libs} == 1
%if %{with bootstrap}
./configure --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
./configure --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
--shared-libuv \
--shared-nghttp2 \
--with-dtrace \
--with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \
--debug-nghttp2 \
--openssl-use-def-ca-store
%endif
%else
# we're not building with libs in RHEL, so let's comment this out
# for the sake of readability
#%if %{?with_libs} == 1
#%if %{with bootstrap}
#./configure --prefix=%{_prefix} \
# --shared \
# --libdir=%{_lib} \
# --shared-openssl \
# --shared-zlib \
# --shared-brotli \
# --without-dtrace \
# --with-intl=small-icu \
# --debug-nghttp2 \
# --openssl-use-def-ca-store
#%else
#./configure --prefix=%{_prefix} \
# --shared \
# --libdir=%{_lib} \
# --shared-openssl \
# --shared-zlib \
# --shared-brotli \
# --shared-libuv \
# --shared-nghttp2 \
# --with-dtrace \
# --with-intl=%{icu_flag} \
# --with-icu-default-data-dir=%{icudatadir} \
# --debug-nghttp2 \
# --openssl-use-def-ca-store
#%endif
%if %{with shared_brotli}
%if %{with bootstrap}
./configure --prefix=%{_prefix} \
--shared-openssl \
@ -470,6 +496,30 @@ export LDFLAGS="%{build_ldflags}"
--debug-nghttp2 \
--openssl-use-def-ca-store
%endif
%else
%if %{with bootstrap}
./configure --prefix=%{_prefix} \
--shared-openssl \
--shared-zlib \
--without-dtrace \
--with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store
%else
./configure --prefix=%{_prefix} \
--shared-openssl \
--shared-zlib \
--shared-libuv \
--shared-nghttp2 \
--with-dtrace \
--with-intl=%{icu_flag} \
--with-icu-default-data-dir=%{icudatadir} \
--debug-nghttp2 \
--openssl-use-def-ca-store
%endif
%endif
%if %{?with_debug} == 1
@ -820,6 +870,20 @@ end
%changelog
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
- Security rebase for January security release
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- Resolves: RHBZ#1916460, RHBZ#1914786
- Resolves: RHBZ#1914784, RHBZ#1916396
* Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
- c-ares, ajv and y18n CVEs and yarn installability issues
* Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli
- Some spec fixes
* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-1
- Rebase to 12.18.4