import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47

2023-01-09 09:25:13 -05:00 · 2023-01-09 09:25:13 -05:00 · e356425f49
commit e356425f49
parent 5bca9392ff
6 changed files with 160 additions and 34 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
+SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-70_1-src.tgz
-SOURCES/node-v14.20.1-stripped.tar.gz
+SOURCES/node-v14.21.1-stripped.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,4 @@
+6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
-78984f3659b168dc3712a1cbd49f43c0f62a299f SOURCES/node-v14.20.1-stripped.tar.gz
+2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
+8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,19 +1,18 @@
-From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
+From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH 1/2] Disable running gyp on shared deps
+Subject: [PATCH] Disable running gyp on shared deps

+Signed-off-by: rpm-build <rpm-build>
 ---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Makefile b/Makefile
-index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
+index 82281b5..9e65fc4 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -136,11 +136,11 @@ endif
- .PHONY: test-code-cache
- with-code-cache test-code-cache:
+@@ -143,7 +143,7 @@ with-code-cache test-code-cache:
 	$(warning '$@' target is a noop)
 
 out/Makefile: config.gypi common.gypi node.gyp \
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make
- 
- # node_version.h is listed because the N-API version is taken from there
 -- 
-2.29.2
+2.38.1

--- a/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch
+++ b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch
@ -1,4 +1,4 @@
-From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
+From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Thu, 9 Dec 2021 15:48:46 +0100
 Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
@ -41,6 +41,5 @@ index c254480..9e37ec3 100644
 	].join('|');
 
 -- 
-2.36.1
-
+2.38.1

--- a/SOURCES/0003-deps-qs-parse-ignore-proto-keys-CVE-2022-24999.patch
+++ b/SOURCES/0003-deps-qs-parse-ignore-proto-keys-CVE-2022-24999.patch
@ -0,0 +1,98 @@
+From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
+From: Jordan Harband <ljharb@gmail.com>
+Date: Mon, 27 Dec 2021 19:15:57 -0800
+Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/qs/lib/parse.js  |  2 +-
+ deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 1 deletion(-)
+
+diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
+index 8c9872e..08e623a 100644
+--- a/deps/npm/node_modules/qs/lib/parse.js
+++ b/deps/npm/node_modules/qs/lib/parse.js
+@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
+             ) {
+                 obj = [];
+                 obj[index] = leaf;
+-            } else {
+            } else if (cleanRoot !== '__proto__') {
+                 obj[cleanRoot] = leaf;
+             }
+         }
+diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
+index 0f8fe45..3e93784 100644
+--- a/deps/npm/node_modules/qs/test/parse.js
+++ b/deps/npm/node_modules/qs/test/parse.js
+@@ -515,6 +515,66 @@ test('parse()', function (t) {
+         st.end();
+     });
+ 
+    t.test('dunder proto is ignored', function (st) {
+        var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
+        var result = qs.parse(payload, { allowPrototypes: true });
+
+        st.deepEqual(
+            result,
+            {
+                categories: {
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload'
+        );
+
+        var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
+
+        st.deepEqual(
+            plainResult,
+            {
+                __proto__: null,
+                categories: {
+                    __proto__: null,
+                    length: '42'
+                }
+            },
+            'silent [[Prototype]] payload: plain objects'
+        );
+
+        var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
+
+        st.notOk(Array.isArray(query.categories), 'is not an array');
+        st.notOk(query.categories instanceof Array, 'is not instanceof an array');
+        st.deepEqual(query.categories, { some: { json: 'toInject' } });
+        st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
+            {
+                foo: {
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values'
+        );
+
+        st.deepEqual(
+            qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
+            {
+                __proto__: null,
+                foo: {
+                    __proto__: null,
+                    bar: 'stuffs'
+                }
+            },
+            'hidden values: plain objects'
+        );
+
+        st.end();
+    });
+
+     t.test('can return null objects', { skip: !Object.create }, function (st) {
+         var expected = Object.create(null);
+         expected.a = Object.create(null);
+-- 
+2.38.1
+
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -41,7 +41,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 14
-%global nodejs_minor 20
+%global nodejs_minor 21
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh
 # nodejs-packaging SRPM.
 Source7: nodejs_native.attr

+# These are full sources for dependencies included as WASM blobs in the source of Node itself.
+# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
+# Recipes for creating these blobs are included in the sources.
+
+# Version: jq '.version' deps/cjs-module-lexer/package.json
+# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
+# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
+Source101: cjs-module-lexer-1.2.2.tar.gz
+# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
+# Version source: Makefile
+Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
+
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-
-Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
+# Dependency vulnerabilities
+Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
+Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch

 BuildRequires: make
 BuildRequires: python3-devel
@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime.
 rm -rf deps/zlib
 rm -rf deps/brotli

+# check for correct versions of dependencies we are bundling
+check_wasm_dep() {
+  local -r name="$1" source="$2" packagejson="$3"
+  local -r expected_version="$(jq -r '.version' "${packagejson}")"
+
+  if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
+    printf '%s version matches\n' "${name}" >&2
+  else
+    printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
+    return 1
+  fi
+}
+
+check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
+
 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
 pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
@ -668,35 +696,35 @@ end


 %changelog
+* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
+- Apply upstream fix for CVE-2022-24999
+  Resolves: CVE-2022-24999
+- Record CVEs fixed by current or previous upstream releases
+  Resolves: CVE-2021-44906
+
+* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
+- Rebase to version 14.21.1
+  Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
+
 * Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
 - Record issues fixed in the current version
  Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
-  Resolves: CVE-2022-0235

 * Thu Sep 29 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-1
 - Rebase to version 14.20.1
  Resolves: CVE-2022-35256

-* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
+* Mon Aug 22 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
+- Rebase to latest release
+- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139
+- Remove libs patch
+- Build without corepack
+
+* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
 - Replace with_* macros with RPM confitionals
 - Unify configure calls into single command
 - Refactor bootstrap-related parts
 - Decouple dependency bundling from bootstrapping
- Resolves: RHBZ#2111417
-
-* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
- Rebase to latest version
- Resolves: RHBZ#2106367
- CVE fixes for CVE-2022-32212/3/4/5
- Resolves: #2109576, #2109579, #2109582, #2109585
-
-* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
- Resolves: RHBZ#2029519
- Add missing BZ to changelog
-
-* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
- Add missing fixes
- Resolves: RHBZ#2027641, RHBZ#2027634

 * Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
 - Resolves: RHBZ#2026325