From cb47b0e1d76a9ec0c0c881e27d8f1c46218de9ba Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 19 Jan 2021 08:11:33 +0000 Subject: [PATCH] import nodejs-12.20.1-1.module+el8.3.0+9503+19cb079c --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...h-4.2.0-with-fixes-for-CVE-2020-8116.patch | 106 ------------- ...8n-prototype-pollution-vulnerability.patch | 13 ++ ...o-not-allow-invalid-hazardous-string.patch | 99 ++++++++++++ SPECS/nodejs.spec | 142 +++++++++++++----- 6 files changed, 217 insertions(+), 147 deletions(-) delete mode 100644 SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch create mode 100644 SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch create mode 100644 SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch diff --git a/.gitignore b/.gitignore index 09a0bd2..3f9ed36 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.18.4-stripped.tar.gz +SOURCES/node-v12.20.1-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 76a9a3f..45b7698 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz +f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz diff --git a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch deleted file mode 100644 index b078f92..0000000 --- a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001 -From: Marco Carini -Date: Mon, 3 Aug 2020 17:16:07 -0500 -Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116 - -Adjusted from -https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/dot-prop/index.js | 18 ++++++++++++++++++ - deps/npm/node_modules/dot-prop/package.json | 6 +++--- - deps/npm/node_modules/dot-prop/readme.md | 2 ++ - 3 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js -index 15282bb..189831c 100644 ---- a/deps/npm/node_modules/dot-prop/index.js -+++ b/deps/npm/node_modules/dot-prop/index.js -@@ -1,6 +1,14 @@ - 'use strict'; - const isObj = require('is-obj'); - -+const disallowedKeys = [ -+ '__proto__', -+ 'prototype', -+ 'constructor' -+]; -+ -+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment)); -+ - function getPathSegments(path) { - const pathArr = path.split('.'); - const parts = []; -@@ -16,6 +24,10 @@ function getPathSegments(path) { - parts.push(p); - } - -+ if (!isValidPath(parts)) { -+ return []; -+ } -+ - return parts; - } - -@@ -26,6 +38,9 @@ module.exports = { - } - - const pathArr = getPathSegments(path); -+ if (pathArr.length === 0) { -+ return; -+ } - - for (let i = 0; i < pathArr.length; i++) { - if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) { -@@ -58,6 +73,9 @@ module.exports = { - - const root = obj; - const pathArr = getPathSegments(path); -+ if (pathArr.length === 0) { -+ return; -+ } - - for (let i = 0; i < pathArr.length; i++) { - const p = pathArr[i]; -diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json -index 40fefa3..93daf7d 100644 ---- a/deps/npm/node_modules/dot-prop/package.json -+++ b/deps/npm/node_modules/dot-prop/package.json -@@ -37,9 +37,9 @@ - "deprecated": false, - "description": "Get, set, or delete a property from a nested object using a dot path", - "devDependencies": { -- "ava": "*", -+ "ava": "1.4.1", - "matcha": "^0.7.0", -- "xo": "*" -+ "xo": "0.24.0" - }, - "engines": { - "node": ">=4" -@@ -73,7 +73,7 @@ - "bench": "matcha bench.js", - "test": "xo && ava" - }, -- "version": "4.2.0", -+ "version": "4.2.1", - "xo": { - "esnext": true - } -diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md -index fab3b7a..0e18f78 100644 ---- a/deps/npm/node_modules/dot-prop/readme.md -+++ b/deps/npm/node_modules/dot-prop/readme.md -@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key. - - Use `\\.` if you have a `.` in the key. - -+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`. -+ - #### value - - Type: `any` --- -2.26.2 - diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch new file mode 100644 index 0000000..88a9d75 --- /dev/null +++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch @@ -0,0 +1,13 @@ +diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js +index d720681628..727362aac0 100644 +--- a/deps/npm/node_modules/y18n/index.js ++++ b/deps/npm/node_modules/y18n/index.js +@@ -11,7 +11,7 @@ function Y18N (opts) { + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch new file mode 100644 index 0000000..c2b1f3e --- /dev/null +++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch @@ -0,0 +1,99 @@ +From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 1602d84..fc6939a 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -1,6 +1,10 @@ %global with_debug 0 %global with_libs 0 +# set to 1 for RHEL >= 8.3 +# RHBZ#1856776 - brotli needed for nodejs-devel is not available +%bcond_with shared_brotli + # PowerPC, s390x and aarch64 segfault during Debug builds # https://github.com/nodejs/node/issues/20642 %ifarch %{power64} s390x aarch64 @@ -25,8 +29,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 18 -%global nodejs_patch 4 +%global nodejs_minor 20 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -54,24 +58,24 @@ # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 %global c_ares_minor 16 -%global c_ares_patch 0 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h %global http_parser_major 2 %global http_parser_minor 9 -%global http_parser_patch 3 +%global http_parser_patch 4 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch} # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 2 +%global llhttp_patch 3 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 -%global libuv_minor 38 +%global libuv_minor 40 %global libuv_patch 0 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} @@ -102,13 +106,13 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 6 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 %global uvwasi_minor 0 -%global uvwasi_patch 9 +%global uvwasi_patch 11 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} # histogram_c - assumed from timestamps @@ -117,6 +121,12 @@ %global histogram_patch 7 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} +# brotli - from deps/brotli/c/common/version.h +%global brotli_major 1 +%global brotli_minor 0 +%global brotli_patch 9 +%global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch} + # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed # to increment safely. Changing this can only be done during an update when the @@ -157,13 +167,15 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif -# Fix for CVE-2020-8116 -Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch +# CVE-2020-7774 +Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch + +# CVE-2020-7788 +Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel -BuildRequires: brotli-devel BuildRequires: gcc >= 6.3.0 BuildRequires: gcc-c++ >= 6.3.0 # needed to generate bundled provides for npm dependencies @@ -183,12 +195,18 @@ BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version} Requires: libnghttp2 >= %{nghttp2_version} +%endif # Temporarily bundle http-parser and llhttp because the latter # isn't packaged yet and they are controlled by the same # configure flag. Provides: bundled(http-parser) = %{http_parser_version} Provides: bundled(llhttp) = %{llhttp_version} + +%if %{with shared_brotli} +BuildRequires: brotli-devel +%else +Provides: bundled(brotli) = %{brotli_version} %endif BuildRequires: openssl-devel @@ -275,7 +293,9 @@ Group: Development/Languages Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} Requires: openssl-devel%{?_isa} Requires: zlib-devel%{?_isa} +%if %{with shared_brotli} Requires: brotli-devel%{?_isa} +%endif Requires: nodejs-packaging %if %{with bootstrap} @@ -376,7 +396,9 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building rm -rf deps/zlib +%if %{with shared_brotli} rm -rf deps/brotli +%endif # Replace any instances of unversioned python' with python2 pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js") @@ -420,34 +442,38 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" export LDFLAGS="%{build_ldflags}" -%if %{?with_libs} == 1 -%if %{with bootstrap} -./configure --prefix=%{_prefix} \ - --shared \ - --libdir=%{_lib} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --without-dtrace \ - --with-intl=small-icu \ - --debug-nghttp2 \ - --openssl-use-def-ca-store -%else -./configure --prefix=%{_prefix} \ - --shared \ - --libdir=%{_lib} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --shared-libuv \ - --shared-nghttp2 \ - --with-dtrace \ - --with-intl=%{icu_flag} \ - --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ - --openssl-use-def-ca-store -%endif -%else +# we're not building with libs in RHEL, so let's comment this out +# for the sake of readability +#%if %{?with_libs} == 1 +#%if %{with bootstrap} +#./configure --prefix=%{_prefix} \ +# --shared \ +# --libdir=%{_lib} \ +# --shared-openssl \ +# --shared-zlib \ +# --shared-brotli \ +# --without-dtrace \ +# --with-intl=small-icu \ +# --debug-nghttp2 \ +# --openssl-use-def-ca-store +#%else +#./configure --prefix=%{_prefix} \ +# --shared \ +# --libdir=%{_lib} \ +# --shared-openssl \ +# --shared-zlib \ +# --shared-brotli \ +# --shared-libuv \ +# --shared-nghttp2 \ +# --with-dtrace \ +# --with-intl=%{icu_flag} \ +# --with-icu-default-data-dir=%{icudatadir} \ +# --debug-nghttp2 \ +# --openssl-use-def-ca-store +#%endif + +%if %{with shared_brotli} + %if %{with bootstrap} ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -470,6 +496,30 @@ export LDFLAGS="%{build_ldflags}" --debug-nghttp2 \ --openssl-use-def-ca-store %endif + +%else + +%if %{with bootstrap} +./configure --prefix=%{_prefix} \ + --shared-openssl \ + --shared-zlib \ + --without-dtrace \ + --with-intl=small-icu \ + --debug-nghttp2 \ + --openssl-use-def-ca-store +%else +./configure --prefix=%{_prefix} \ + --shared-openssl \ + --shared-zlib \ + --shared-libuv \ + --shared-nghttp2 \ + --with-dtrace \ + --with-intl=%{icu_flag} \ + --with-icu-default-data-dir=%{icudatadir} \ + --debug-nghttp2 \ + --openssl-use-def-ca-store +%endif + %endif %if %{?with_debug} == 1 @@ -820,6 +870,20 @@ end %changelog +* Mon Jan 18 2021 Zuzana Svetlikova - 1:12.20.1-1 +- Security rebase for January security release +- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ +- Resolves: RHBZ#1916460, RHBZ#1914786 +- Resolves: RHBZ#1914784, RHBZ#1916396 + +* Tue Nov 24 2020 Zuzana Svetlikova - 1:12.19.1-1 +- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047 +- c-ares, ajv and y18n CVEs and yarn installability issues + +* Mon Oct 05 2020 Zuzana Svetlikova - 1:12.18.4-2 +- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli +- Some spec fixes + * Tue Sep 22 2020 Jan Staněk - 12.18.4-1 - Rebase to 12.18.4