Update to latest release

Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
Resolves CVE-2022-29244
Resolves: RHBZ#211100
This commit is contained in:
Zuzana Svetlikova 2022-07-25 12:22:44 +02:00
parent 7d57949211
commit ea1df4bf30
4 changed files with 53 additions and 167 deletions

1
.gitignore vendored
View File

@ -25,3 +25,4 @@
/icu4c-70_1-src.tgz
/node-v18.2.0-stripped.tar.gz
/icu4c-71_1-src.tgz
/node-v18.7.0-stripped.tar.gz

View File

@ -1,4 +1,4 @@
From 142fe30256f96e28b49f55d5c72e604719aaaad8 Mon Sep 17 00:00:00 2001
From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH] Disable running gyp on shared deps
@ -10,30 +10,30 @@ Signed-off-by: rpm-build <rpm-build>
2 files changed, 1 insertion(+), 18 deletions(-)
diff --git a/Makefile b/Makefile
index 4aace77..0bad864 100644
index e0d756f..c90bfa7 100644
--- a/Makefile
+++ b/Makefile
@@ -147,7 +147,7 @@ with-code-cache test-code-cache:
$(warning '$@' target is a noop)
$(warning '$@' target is a noop)
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
+ deps/llhttp/llhttp.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
diff --git a/node.gyp b/node.gyp
index 86fe9a6..bfa5093 100644
index 6b3a6d9..5882cef 100644
--- a/node.gyp
+++ b/node.gyp
@@ -449,23 +449,6 @@
@@ -429,23 +429,6 @@
],
},
],
- }, {
- 'variables': {
- 'opensslconfig_internal': '<(obj_dir)/deps/openssl/openssl.cnf',
- 'opensslconfig': './deps/openssl/openssl/apps/openssl.cnf',
- 'opensslconfig': './deps/openssl/nodejs-openssl.cnf',
- },
- 'actions': [
- {
@ -42,14 +42,14 @@ index 86fe9a6..bfa5093 100644
- 'outputs': [ '<(opensslconfig_internal)', ],
- 'action': [
- 'python', 'tools/copyfile.py',
- './deps/openssl/openssl/apps/openssl.cnf',
- '<(obj_dir)/deps/openssl/openssl.cnf',
- '<(opensslconfig)',
- '<(opensslconfig_internal)',
- ],
- },
- ],
}],
],
}, # node_core_target_name
--
--
2.36.1

View File

@ -1,11 +1,3 @@
%global with_debug 0
# PowerPC, s390x and aarch64 segfault during Debug builds
# https://github.com/nodejs/node/issues/20642
%ifarch %{power64} s390x aarch64
%global with_debug 0
%endif
# The following macros control the usage of dependencies bundled from upstream.
#
# When to use what:
@ -17,7 +9,7 @@
#
# create bootstrapping build with bundled deps and extra release suffix
%bcond_with bootstrap
# bundle dependencies that are not available as Fedora modules
# bundle dependencies that are not available in CentOS
%if %{with bootstrap}
%bcond_without bundled
%else
@ -37,7 +29,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 2
%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -48,7 +40,7 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 18
%global nodejs_minor 2
%global nodejs_minor 7
%global nodejs_patch 0
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -63,9 +55,9 @@
# Epoch is set to ensure clean upgrades from the old v8 package
%global v8_epoch 2
%global v8_major 10
%global v8_minor 1
%global v8_build 124
%global v8_patch 8
%global v8_minor 2
%global v8_build 154
%global v8_patch 13
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
%global v8_abi %{v8_major}.%{v8_minor}
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -73,28 +65,16 @@
# c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332
%global c_ares_major 1
%global c_ares_minor 18
%global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
%global c_ares_version 1.18.1
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_major 6
%global llhttp_minor 0
%global llhttp_patch 6
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
%global llhttp_version 6.0.7
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
%global libuv_minor 43
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
%global libuv_version 1.43.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_major 1
%global nghttp2_minor 47
%global nghttp2_patch 0
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
%global nghttp2_version 1.47.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_major 0
@ -133,29 +113,11 @@
# punycode - from lib/punycode.js
# Note: this was merged into the mainline since 0.6.x
# Note: this will be unmerged in an upcoming major release
%global punycode_major 2
%global punycode_minor 1
%global punycode_patch 0
%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
%global punycode_version 2.1.0
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_major 8
%global npm_minor 9
%global npm_patch 0
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_major 0
%global uvwasi_minor 0
%global uvwasi_patch 12
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
# histogram_c - assumed from timestamps
%global histogram_major 0
%global histogram_minor 9
%global histogram_patch 7
%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
%global npm_version 8.15.0
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -163,8 +125,11 @@
# base npm version number is increasing.
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# Node.js 16.9.1 and later comes with an experimental package management tool
%global corepack_version 0.10.0
# uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_version 0.0.12
# histogram_c - assumed from timestamps
%global histogram_version 0.9.7
Name: nodejs
Epoch: %{nodejs_epoch}
@ -196,10 +161,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
BuildRequires: make
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-jinja2
%if !%{with python3_fixup}
BuildRequires: python-unversioned-command
%endif
BuildRequires: zlib-devel
BuildRequires: brotli-devel
BuildRequires: gcc >= 8.3.0
BuildRequires: gcc-c++ >= 8.3.0
BuildRequires: jq
# needed to generate bundled provides for npm dependencies
# https://src.fedoraproject.org/rpms/nodejs/pull-request/2
# https://pagure.io/nodejs-packaging/pull-request/10
@ -285,15 +256,9 @@ Provides: bundled(icu) = %{icu_version}
# or there's no option to built it as a shared dependency, so we bundle them
Provides: bundled(uvwasi) = %{uvwasi_version}
Provides: bundled(histogram) = %{histogram_version}
Provides: bundled(corepack) = %{corepack_version}
# Make sure we keep NPM up to date when we update Node.js
%if 0%{?rhel} < 8
# EPEL doesn't support Recommends, so make it strict
Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
%else
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
%endif
%description
Node.js is a platform built on Chrome's JavaScript runtime
@ -341,9 +306,7 @@ Release: %{npm_release}%{?dist}
Obsoletes: npm < 0:3.5.4-6
Provides: npm = %{npm_epoch}:%{npm_version}
Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%if 0%{?fedora} || 0%{?rhel} >= 8
Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%endif
# Do not add epoch to the virtual NPM provides or it will break
# the automatic dependency-generation script.
@ -375,6 +338,8 @@ The API documentation for the Node.js JavaScript runtime.
# remove bundled dependencies that we aren't building
rm -rf deps/zlib
rm -rf deps/brotli
rm -rf deps/v8/third_party/jinja2
rm -rf tools/inspector_protocol/jinja2
# Replace any instances of unversioned python' with python3
%if %{with python3_fixup}
@ -382,20 +347,19 @@ pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_test.py
find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
%endif
%build
%ifarch s390 s390x %{arm} %ix86
# Decrease debuginfo verbosity to reduce memory consumption during final
# library linking
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
%endif
export CC='gcc'
export CXX='g++'
export CC='%{__cc}'
export CXX='%{__cxx}'
%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}
# build with debugging symbols and add defines from libuv (#892601)
@ -419,15 +383,11 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--without-corepack \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%if %{?with_debug} == 1
# Setting BUILDTYPE=Debug builds both release and debug binaries
make BUILDTYPE=Debug %{?_smp_mflags}
%else
make BUILDTYPE=Release %{?_smp_mflags}
%endif
# Extract the ICU data and convert it to the appropriate endianness
pushd deps/
@ -468,11 +428,6 @@ rm -rf %{buildroot}
chmod 0755 %{buildroot}/%{_bindir}/node
chrpath --delete %{buildroot}%{_bindir}/node
%if %{?with_debug} == 1
# Install the debug binary and set its permissions
install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
%endif
# own the sitelib directory
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
@ -530,11 +485,6 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
# Corepack contains a number of executable"shims", including some for Windows
# PowerShell. Drop the executable bit for those so we don't pick up an
# automatic dependency on /usr/bin/pwsh that we cannot satisfy.
chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1
# Drop the NPM default configuration in place
mkdir -p %{buildroot}%{_sysconfdir}
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc
@ -558,77 +508,12 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
%{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
# Ensure we have npm and that the version matches
# NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')"
# Make sure i18n support is working
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
%pretrans -n npm -p <lua>
-- Remove all of the symlinks from the bundled npm node_modules directory
-- This scriptlet can be removed in Fedora 31
base_path = "%{_prefix}/lib/node_modules/npm/node_modules/"
d_st = posix.stat(base_path)
if d_st then
for f in posix.files(base_path) do
path = base_path..f
st = posix.stat(path)
if st and st.type == "link" then
os.remove(path)
end
end
end
-- Replace the npm docs directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/doc"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
-- Replace the npm docs directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/html"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
-- Replace the npm man directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/man"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
%files
%{_bindir}/node
%dir %{_prefix}/lib/node_modules
@ -637,10 +522,6 @@ end
%dir %{_datadir}/systemtap/tapset
%{_datadir}/systemtap/tapset/node.stp
# corepack
%{_bindir}/corepack
%{_prefix}/lib/node_modules/corepack
%dir %{_usr}/lib/dtrace
%{_usr}/lib/dtrace/node.d
@ -652,9 +533,6 @@ end
%files devel
%if %{?with_debug} == 1
%{_bindir}/node_g
%endif
%{_includedir}/node
%{_datadir}/node/common.gypi
%{_pkgdocdir}/gdbinit
@ -682,8 +560,9 @@ end
%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
%doc %{_mandir}/man7/config.7*
%doc %{_mandir}/man7/developers.7*
%doc %{_mandir}/man7/orgs.7*
%doc %{_mandir}/man7/logging.7*
%doc %{_mandir}/man7/orgs.7*
%doc %{_mandir}/man7/package-spec.7*
%doc %{_mandir}/man7/registry.7*
%doc %{_mandir}/man7/removal.7*
%doc %{_mandir}/man7/scope.7*
@ -699,6 +578,12 @@ end
%changelog
* Mon Aug 08 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.7.0-1
- Update to latest release
- Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
- Resolves CVE-2022-29244
- Resolves: RHBZ#2111009
* Mon Jun 20 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.2.0-2
- Disable LTO
- Related: #1990096

View File

@ -1,2 +1,2 @@
SHA512 (node-v18.2.0-stripped.tar.gz) = c51881ae16d950a8a9f3e123b8901937b0152e81128a51645cdc07408a076cc4212883a408b3e88de91bfa30d6d2dc327a1f7b842e4b78f62defb13d78d4d08b
SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
SHA512 (node-v18.7.0-stripped.tar.gz) = 710c3ab1e8417bcda55ab7aa74b9c54367d899f8a039cff3d6644d3d15fae98ce257e1632f997ad2f67132b17fc585c1e1de0f570add6ffb7e5d6b5405e1bb29