Security rebase to 14.15.4

Resolves: RHBZ#1913001, RHBZ#1912953 Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184
2021-01-19 12:12:01 +01:00 · 2021-01-19 12:12:01 +01:00 · d42a973b5a
commit d42a973b5a
parent 4f913cec19
6 changed files with 141 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -12,3 +12,4 @@
 /node-v14.4.0-stripped.tar.gz
 /node-v14.11.0-stripped.tar.gz
 /node-v14.15.0-stripped.tar.gz
+/node-v14.15.4-stripped.tar.gz
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,6 +1,6 @@
-From 65f5eb67f4691ab535cc00240a00bd33efe29969 Mon Sep 17 00:00:00 2001
+From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Thu, 27 Apr 2017 14:25:42 +0200
+Date: Fri, 17 Apr 2020 12:59:44 +0200
 Subject: [PATCH 1/2] Disable running gyp on shared deps

 ---
@ -8,18 +8,22 @@ Subject: [PATCH 1/2] Disable running gyp on shared deps
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Makefile b/Makefile
-index 34cdec7f7767b5152678adaeea10a8cf711fb9a8..3b548907033108831e99e054bc84d3ce91daa25c 100644
+index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
- 	echo "'test-code-cache' target is a noop"
-
+@@ -136,11 +136,11 @@ endif
+ .PHONY: test-code-cache
+ with-code-cache test-code-cache:
+ 	$(warning '$@' target is a noop)
+ 
 out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
-+	deps/uv/uv.gyp deps/llhttp/llhttp.gyp \
+	deps/llhttp/llhttp.gyp \
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make
--
-2.24.1
+ 
+ # node_version.h is listed because the N-API version is taken from there
+-- 
+2.29.2

--- a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
+  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
--- a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = {}
+        return
+      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
+      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
+      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+  foo: 'baz',
+  other: {
+    foo: 'asdf',
+  },
+  kid: {
+    foo: {
+      foo: 'kid',
+    },
+  },
+  arrproto: {
+    hello: 'snyk',
+    thanks: true,
+  },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
--- a/nodejs.spec
+++ b/nodejs.spec
@ -27,7 +27,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 14
 %global nodejs_minor 15
-%global nodejs_patch 0
+%global nodejs_patch 4
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -110,7 +110,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 8
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -165,6 +165,12 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif

+# CVE-2020-7774
+Patch3: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch4: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
@ -819,6 +825,12 @@ end


 %changelog
+* Tue Jan 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-1
+- Security rebase to 14.15.4
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Resolves: RHBZ#1913001, RHBZ#1912953
+- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184
+
 * Thu Oct 29 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.0-1
 - Resolves: RHBZ#1858864
 - Update to LTS release
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-a55ace75a3320593e1e2ac45085f6607  node-v14.15.0-stripped.tar.gz
+488cb27eb0fa484db7bd3b48552113f7  node-v14.15.4-stripped.tar.gz
 c4d62b497cbd89ab2a9ca6b543e57b30  icu4c-67_1-src.tgz