Update to latest release
Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 Resolves CVE-2022-29244 Resolves: RHBZ#211100
This commit is contained in:
parent
7d57949211
commit
ea1df4bf30
1
.gitignore
vendored
1
.gitignore
vendored
@ -25,3 +25,4 @@
|
||||
/icu4c-70_1-src.tgz
|
||||
/node-v18.2.0-stripped.tar.gz
|
||||
/icu4c-71_1-src.tgz
|
||||
/node-v18.7.0-stripped.tar.gz
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 142fe30256f96e28b49f55d5c72e604719aaaad8 Mon Sep 17 00:00:00 2001
|
||||
From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
|
||||
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
||||
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
||||
Subject: [PATCH] Disable running gyp on shared deps
|
||||
@ -10,7 +10,7 @@ Signed-off-by: rpm-build <rpm-build>
|
||||
2 files changed, 1 insertion(+), 18 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 4aace77..0bad864 100644
|
||||
index e0d756f..c90bfa7 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -147,7 +147,7 @@ with-code-cache test-code-cache:
|
||||
@ -23,17 +23,17 @@ index 4aace77..0bad864 100644
|
||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||
$(PYTHON) tools/gyp_node.py -f make
|
||||
diff --git a/node.gyp b/node.gyp
|
||||
index 86fe9a6..bfa5093 100644
|
||||
index 6b3a6d9..5882cef 100644
|
||||
--- a/node.gyp
|
||||
+++ b/node.gyp
|
||||
@@ -449,23 +449,6 @@
|
||||
@@ -429,23 +429,6 @@
|
||||
],
|
||||
},
|
||||
],
|
||||
- }, {
|
||||
- 'variables': {
|
||||
- 'opensslconfig_internal': '<(obj_dir)/deps/openssl/openssl.cnf',
|
||||
- 'opensslconfig': './deps/openssl/openssl/apps/openssl.cnf',
|
||||
- 'opensslconfig': './deps/openssl/nodejs-openssl.cnf',
|
||||
- },
|
||||
- 'actions': [
|
||||
- {
|
||||
@ -42,8 +42,8 @@ index 86fe9a6..bfa5093 100644
|
||||
- 'outputs': [ '<(opensslconfig_internal)', ],
|
||||
- 'action': [
|
||||
- 'python', 'tools/copyfile.py',
|
||||
- './deps/openssl/openssl/apps/openssl.cnf',
|
||||
- '<(obj_dir)/deps/openssl/openssl.cnf',
|
||||
- '<(opensslconfig)',
|
||||
- '<(opensslconfig_internal)',
|
||||
- ],
|
||||
- },
|
||||
- ],
|
||||
|
189
nodejs.spec
189
nodejs.spec
@ -1,11 +1,3 @@
|
||||
%global with_debug 0
|
||||
|
||||
# PowerPC, s390x and aarch64 segfault during Debug builds
|
||||
# https://github.com/nodejs/node/issues/20642
|
||||
%ifarch %{power64} s390x aarch64
|
||||
%global with_debug 0
|
||||
%endif
|
||||
|
||||
# The following macros control the usage of dependencies bundled from upstream.
|
||||
#
|
||||
# When to use what:
|
||||
@ -17,7 +9,7 @@
|
||||
#
|
||||
# create bootstrapping build with bundled deps and extra release suffix
|
||||
%bcond_with bootstrap
|
||||
# bundle dependencies that are not available as Fedora modules
|
||||
# bundle dependencies that are not available in CentOS
|
||||
%if %{with bootstrap}
|
||||
%bcond_without bundled
|
||||
%else
|
||||
@ -37,7 +29,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage that
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 2
|
||||
%global baserelease 1
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -48,7 +40,7 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 18
|
||||
%global nodejs_minor 2
|
||||
%global nodejs_minor 7
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
@ -63,9 +55,9 @@
|
||||
# Epoch is set to ensure clean upgrades from the old v8 package
|
||||
%global v8_epoch 2
|
||||
%global v8_major 10
|
||||
%global v8_minor 1
|
||||
%global v8_build 124
|
||||
%global v8_patch 8
|
||||
%global v8_minor 2
|
||||
%global v8_build 154
|
||||
%global v8_patch 13
|
||||
# V8 presently breaks ABI at least every x.y release while never bumping SONAME
|
||||
%global v8_abi %{v8_major}.%{v8_minor}
|
||||
%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
|
||||
@ -73,28 +65,16 @@
|
||||
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_major 1
|
||||
%global c_ares_minor 18
|
||||
%global c_ares_patch 1
|
||||
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
|
||||
%global c_ares_version 1.18.1
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_major 6
|
||||
%global llhttp_minor 0
|
||||
%global llhttp_patch 6
|
||||
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
|
||||
%global llhttp_version 6.0.7
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_major 1
|
||||
%global libuv_minor 43
|
||||
%global libuv_patch 0
|
||||
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
|
||||
%global libuv_version 1.43.0
|
||||
|
||||
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
||||
%global nghttp2_major 1
|
||||
%global nghttp2_minor 47
|
||||
%global nghttp2_patch 0
|
||||
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
|
||||
%global nghttp2_version 1.47.0
|
||||
|
||||
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
|
||||
%global nghttp3_major 0
|
||||
@ -133,29 +113,11 @@
|
||||
# punycode - from lib/punycode.js
|
||||
# Note: this was merged into the mainline since 0.6.x
|
||||
# Note: this will be unmerged in an upcoming major release
|
||||
%global punycode_major 2
|
||||
%global punycode_minor 1
|
||||
%global punycode_patch 0
|
||||
%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
|
||||
%global punycode_version 2.1.0
|
||||
|
||||
# npm - from deps/npm/package.json
|
||||
%global npm_epoch 1
|
||||
%global npm_major 8
|
||||
%global npm_minor 9
|
||||
%global npm_patch 0
|
||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||
|
||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||
%global uvwasi_major 0
|
||||
%global uvwasi_minor 0
|
||||
%global uvwasi_patch 12
|
||||
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
|
||||
|
||||
# histogram_c - assumed from timestamps
|
||||
%global histogram_major 0
|
||||
%global histogram_minor 9
|
||||
%global histogram_patch 7
|
||||
%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
|
||||
%global npm_version 8.15.0
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
# main package forever, we will just construct one for npm that is guaranteed
|
||||
@ -163,8 +125,11 @@
|
||||
# base npm version number is increasing.
|
||||
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
|
||||
|
||||
# Node.js 16.9.1 and later comes with an experimental package management tool
|
||||
%global corepack_version 0.10.0
|
||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||
%global uvwasi_version 0.0.12
|
||||
|
||||
# histogram_c - assumed from timestamps
|
||||
%global histogram_version 0.9.7
|
||||
|
||||
Name: nodejs
|
||||
Epoch: %{nodejs_epoch}
|
||||
@ -196,10 +161,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: python3-setuptools
|
||||
BuildRequires: python3-jinja2
|
||||
%if !%{with python3_fixup}
|
||||
BuildRequires: python-unversioned-command
|
||||
%endif
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: brotli-devel
|
||||
BuildRequires: gcc >= 8.3.0
|
||||
BuildRequires: gcc-c++ >= 8.3.0
|
||||
BuildRequires: jq
|
||||
# needed to generate bundled provides for npm dependencies
|
||||
# https://src.fedoraproject.org/rpms/nodejs/pull-request/2
|
||||
# https://pagure.io/nodejs-packaging/pull-request/10
|
||||
@ -285,15 +256,9 @@ Provides: bundled(icu) = %{icu_version}
|
||||
# or there's no option to built it as a shared dependency, so we bundle them
|
||||
Provides: bundled(uvwasi) = %{uvwasi_version}
|
||||
Provides: bundled(histogram) = %{histogram_version}
|
||||
Provides: bundled(corepack) = %{corepack_version}
|
||||
|
||||
# Make sure we keep NPM up to date when we update Node.js
|
||||
%if 0%{?rhel} < 8
|
||||
# EPEL doesn't support Recommends, so make it strict
|
||||
Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
|
||||
%else
|
||||
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
|
||||
%endif
|
||||
|
||||
%description
|
||||
Node.js is a platform built on Chrome's JavaScript runtime
|
||||
@ -341,9 +306,7 @@ Release: %{npm_release}%{?dist}
|
||||
Obsoletes: npm < 0:3.5.4-6
|
||||
Provides: npm = %{npm_epoch}:%{npm_version}
|
||||
Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
|
||||
%if 0%{?fedora} || 0%{?rhel} >= 8
|
||||
Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
|
||||
%endif
|
||||
|
||||
# Do not add epoch to the virtual NPM provides or it will break
|
||||
# the automatic dependency-generation script.
|
||||
@ -375,6 +338,8 @@ The API documentation for the Node.js JavaScript runtime.
|
||||
# remove bundled dependencies that we aren't building
|
||||
rm -rf deps/zlib
|
||||
rm -rf deps/brotli
|
||||
rm -rf deps/v8/third_party/jinja2
|
||||
rm -rf tools/inspector_protocol/jinja2
|
||||
|
||||
# Replace any instances of unversioned python' with python3
|
||||
%if %{with python3_fixup}
|
||||
@ -382,20 +347,19 @@ pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
|
||||
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
|
||||
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
|
||||
sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
|
||||
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
|
||||
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_test.py
|
||||
find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
|
||||
%endif
|
||||
|
||||
%build
|
||||
|
||||
%ifarch s390 s390x %{arm} %ix86
|
||||
# Decrease debuginfo verbosity to reduce memory consumption during final
|
||||
# library linking
|
||||
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
|
||||
%endif
|
||||
|
||||
export CC='gcc'
|
||||
export CXX='g++'
|
||||
export CC='%{__cc}'
|
||||
export CXX='%{__cxx}'
|
||||
%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}
|
||||
|
||||
# build with debugging symbols and add defines from libuv (#892601)
|
||||
@ -419,15 +383,11 @@ export LDFLAGS="%{build_ldflags}"
|
||||
--with-dtrace \
|
||||
--with-intl=small-icu \
|
||||
--with-icu-default-data-dir=%{icudatadir} \
|
||||
--without-corepack \
|
||||
--openssl-use-def-ca-store \
|
||||
--openssl-default-cipher-list=PROFILE=SYSTEM
|
||||
|
||||
%if %{?with_debug} == 1
|
||||
# Setting BUILDTYPE=Debug builds both release and debug binaries
|
||||
make BUILDTYPE=Debug %{?_smp_mflags}
|
||||
%else
|
||||
make BUILDTYPE=Release %{?_smp_mflags}
|
||||
%endif
|
||||
|
||||
# Extract the ICU data and convert it to the appropriate endianness
|
||||
pushd deps/
|
||||
@ -468,11 +428,6 @@ rm -rf %{buildroot}
|
||||
chmod 0755 %{buildroot}/%{_bindir}/node
|
||||
chrpath --delete %{buildroot}%{_bindir}/node
|
||||
|
||||
%if %{?with_debug} == 1
|
||||
# Install the debug binary and set its permissions
|
||||
install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
|
||||
%endif
|
||||
|
||||
# own the sitelib directory
|
||||
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
|
||||
|
||||
@ -530,11 +485,6 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
|
||||
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
|
||||
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
|
||||
|
||||
# Corepack contains a number of executable"shims", including some for Windows
|
||||
# PowerShell. Drop the executable bit for those so we don't pick up an
|
||||
# automatic dependency on /usr/bin/pwsh that we cannot satisfy.
|
||||
chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1
|
||||
|
||||
# Drop the NPM default configuration in place
|
||||
mkdir -p %{buildroot}%{_sysconfdir}
|
||||
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc
|
||||
@ -558,77 +508,12 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
|
||||
%{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
|
||||
|
||||
# Ensure we have npm and that the version matches
|
||||
# NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
|
||||
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')"
|
||||
|
||||
# Make sure i18n support is working
|
||||
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
|
||||
|
||||
|
||||
%pretrans -n npm -p <lua>
|
||||
-- Remove all of the symlinks from the bundled npm node_modules directory
|
||||
-- This scriptlet can be removed in Fedora 31
|
||||
base_path = "%{_prefix}/lib/node_modules/npm/node_modules/"
|
||||
d_st = posix.stat(base_path)
|
||||
if d_st then
|
||||
for f in posix.files(base_path) do
|
||||
path = base_path..f
|
||||
st = posix.stat(path)
|
||||
if st and st.type == "link" then
|
||||
os.remove(path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- Replace the npm docs directory with a symlink
|
||||
-- Drop this scriptlet when F31 is EOL
|
||||
path = "%{_prefix}/lib/node_modules/npm/doc"
|
||||
st = posix.stat(path)
|
||||
if st and st.type == "directory" then
|
||||
status = os.rename(path, path .. ".rpmmoved")
|
||||
if not status then
|
||||
suffix = 0
|
||||
while not status do
|
||||
suffix = suffix + 1
|
||||
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
|
||||
end
|
||||
os.rename(path, path .. ".rpmmoved")
|
||||
end
|
||||
end
|
||||
|
||||
-- Replace the npm docs directory with a symlink
|
||||
-- Drop this scriptlet when F31 is EOL
|
||||
path = "%{_prefix}/lib/node_modules/npm/html"
|
||||
st = posix.stat(path)
|
||||
if st and st.type == "directory" then
|
||||
status = os.rename(path, path .. ".rpmmoved")
|
||||
if not status then
|
||||
suffix = 0
|
||||
while not status do
|
||||
suffix = suffix + 1
|
||||
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
|
||||
end
|
||||
os.rename(path, path .. ".rpmmoved")
|
||||
end
|
||||
end
|
||||
|
||||
-- Replace the npm man directory with a symlink
|
||||
-- Drop this scriptlet when F31 is EOL
|
||||
path = "%{_prefix}/lib/node_modules/npm/man"
|
||||
st = posix.stat(path)
|
||||
if st and st.type == "directory" then
|
||||
status = os.rename(path, path .. ".rpmmoved")
|
||||
if not status then
|
||||
suffix = 0
|
||||
while not status do
|
||||
suffix = suffix + 1
|
||||
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
|
||||
end
|
||||
os.rename(path, path .. ".rpmmoved")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
%files
|
||||
%{_bindir}/node
|
||||
%dir %{_prefix}/lib/node_modules
|
||||
@ -637,10 +522,6 @@ end
|
||||
%dir %{_datadir}/systemtap/tapset
|
||||
%{_datadir}/systemtap/tapset/node.stp
|
||||
|
||||
# corepack
|
||||
%{_bindir}/corepack
|
||||
%{_prefix}/lib/node_modules/corepack
|
||||
|
||||
%dir %{_usr}/lib/dtrace
|
||||
%{_usr}/lib/dtrace/node.d
|
||||
|
||||
@ -652,9 +533,6 @@ end
|
||||
|
||||
|
||||
%files devel
|
||||
%if %{?with_debug} == 1
|
||||
%{_bindir}/node_g
|
||||
%endif
|
||||
%{_includedir}/node
|
||||
%{_datadir}/node/common.gypi
|
||||
%{_pkgdocdir}/gdbinit
|
||||
@ -682,8 +560,9 @@ end
|
||||
%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
|
||||
%doc %{_mandir}/man7/config.7*
|
||||
%doc %{_mandir}/man7/developers.7*
|
||||
%doc %{_mandir}/man7/orgs.7*
|
||||
%doc %{_mandir}/man7/logging.7*
|
||||
%doc %{_mandir}/man7/orgs.7*
|
||||
%doc %{_mandir}/man7/package-spec.7*
|
||||
%doc %{_mandir}/man7/registry.7*
|
||||
%doc %{_mandir}/man7/removal.7*
|
||||
%doc %{_mandir}/man7/scope.7*
|
||||
@ -699,6 +578,12 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Aug 08 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.7.0-1
|
||||
- Update to latest release
|
||||
- Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
|
||||
- Resolves CVE-2022-29244
|
||||
- Resolves: RHBZ#2111009
|
||||
|
||||
* Mon Jun 20 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.2.0-2
|
||||
- Disable LTO
|
||||
- Related: #1990096
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (node-v18.2.0-stripped.tar.gz) = c51881ae16d950a8a9f3e123b8901937b0152e81128a51645cdc07408a076cc4212883a408b3e88de91bfa30d6d2dc327a1f7b842e4b78f62defb13d78d4d08b
|
||||
SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
|
||||
SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
|
||||
SHA512 (node-v18.7.0-stripped.tar.gz) = 710c3ab1e8417bcda55ab7aa74b9c54367d899f8a039cff3d6644d3d15fae98ce257e1632f997ad2f67132b17fc585c1e1de0f570add6ffb7e5d6b5405e1bb29
|
||||
|
Loading…
Reference in New Issue
Block a user