From ea52153f16bcdcc3a6d1b64e011d41bcc36afc71 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 27 Sep 2022 08:42:12 -0400
Subject: [PATCH] import nodejs-12.22.12-1.module+el8.6.0+15324+1f2c5d8d

---
 .gitignore                                    |   2 +-
 .nodejs.metadata                              |   2 +-
 ...005-CVE-2021-23343-nodejs-path-parse.patch | 180 ------------------
 SPECS/nodejs.spec                             |  40 ++--
 4 files changed, 25 insertions(+), 199 deletions(-)
 delete mode 100644 SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch

diff --git a/.gitignore b/.gitignore
index d8fc543..fd2a6fe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.22.5-stripped.tar.gz
+SOURCES/node-v12.22.12-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index c0867c1..2416ae1 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-bb98afb22215e659a77853964f7575da6b1535e3 SOURCES/node-v12.22.5-stripped.tar.gz
+49c907b1445701724914a0571bf6be62a25583af SOURCES/node-v12.22.12-stripped.tar.gz
diff --git a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
deleted file mode 100644
index 201721d..0000000
--- a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-https://github.com/jbgutierrez/path-parse/pull/10
-
-From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001
-From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
-Date: Thu, 13 May 2021 10:53:50 -0400
-Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/path-parse/index.js |  6 +++---
- deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
- 2 files changed, 23 insertions(+), 3 deletions(-)
- create mode 100644 deps/npm/node_modules/path-parse/redos.js
-
-diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
-index 3b7601f..e6b2af1 100644
---- a/deps/npm/node_modules/path-parse/index.js
-+++ b/deps/npm/node_modules/path-parse/index.js
-@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
- // Regex to split a windows path into three parts: [*, device, slash,
- // tail] windows-only
- var splitDeviceRe =
--    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
-+    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
-
- // Regex to split the tail part of the above into [*, dir, basename, ext]
- var splitTailRe =
--    /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-+    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-
- var win32 = {};
-
-@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
- // Split a filename into [root, dir, basename, ext], unix version
- // 'root' is just a slash, or nothing.
- var splitPathRe =
--    /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
-+    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
- var posix = {};
-
-
-diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
-new file mode 100644
-index 0000000..261947f
---- /dev/null
-+++ b/deps/npm/node_modules/path-parse/redos.js
-@@ -0,0 +1,20 @@
-+var pathParse = require('.');
-+
-+function build_attack(n) {
-+    var ret = ""
-+    for (var i = 0; i < n; i++) {
-+        ret += "/"
-+    }
-+    return ret + "◎";
-+}
-+
-+for(var i = 1; i <= 5000000; i++) {
-+    if (i % 10000 == 0) {
-+        var time = Date.now();
-+        var attack_str = build_attack(i)
-+        pathParse.posix(attack_str);
-+        pathParse.win32(attack_str);
-+        var time_cost = Date.now() - time;
-+        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
-+    }
-+}
---
-2.31.1
-
-
-From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001
-From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
-Date: Thu, 13 May 2021 11:51:45 -0400
-Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
- 1 file changed, 17 insertions(+), 35 deletions(-)
-
-diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
-index e6b2af1..f062d0a 100644
---- a/deps/npm/node_modules/path-parse/index.js
-+++ b/deps/npm/node_modules/path-parse/index.js
-@@ -2,29 +2,14 @@
-
- var isWindows = process.platform === 'win32';
-
--// Regex to split a windows path into three parts: [*, device, slash,
--// tail] windows-only
--var splitDeviceRe =
--    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
--
--// Regex to split the tail part of the above into [*, dir, basename, ext]
--var splitTailRe =
--    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-+// Regex to split a windows path into into [dir, root, basename, name, ext]
-+var splitWindowsRe =
-+    /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
-
- var win32 = {};
-
--// Function to split a filename into [root, dir, basename, ext]
- function win32SplitPath(filename) {
--  // Separate device+slash from tail
--  var result = splitDeviceRe.exec(filename),
--      device = (result[1] || '') + (result[2] || ''),
--      tail = result[3] || '';
--  // Split the tail into dir, basename and extension
--  var result2 = splitTailRe.exec(tail),
--      dir = result2[1],
--      basename = result2[2],
--      ext = result2[3];
--  return [device, dir, basename, ext];
-+  return splitWindowsRe.exec(filename).slice(1);
- }
-
- win32.parse = function(pathString) {
-@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
-     );
-   }
-   var allParts = win32SplitPath(pathString);
--  if (!allParts || allParts.length !== 4) {
-+  if (!allParts || allParts.length !== 5) {
-     throw new TypeError("Invalid path '" + pathString + "'");
-   }
-   return {
--    root: allParts[0],
--    dir: allParts[0] + allParts[1].slice(0, -1),
-+    root: allParts[1],
-+    dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
-     base: allParts[2],
--    ext: allParts[3],
--    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
-+    ext: allParts[4],
-+    name: allParts[3]
-   };
- };
-
-
-
--// Split a filename into [root, dir, basename, ext], unix version
-+// Split a filename into [dir, root, basename, name, ext], unix version
- // 'root' is just a slash, or nothing.
- var splitPathRe =
--    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
-+    /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
- var posix = {};
-
-
-@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
-     );
-   }
-   var allParts = posixSplitPath(pathString);
--  if (!allParts || allParts.length !== 4) {
-+  if (!allParts || allParts.length !== 5) {
-     throw new TypeError("Invalid path '" + pathString + "'");
-   }
--  allParts[1] = allParts[1] || '';
--  allParts[2] = allParts[2] || '';
--  allParts[3] = allParts[3] || '';
--
-+
-   return {
--    root: allParts[0],
--    dir: allParts[0] + allParts[1].slice(0, -1),
-+    root: allParts[1],
-+    dir: allParts[0].slice(0, -1),
-     base: allParts[2],
--    ext: allParts[3],
--    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
-+    ext: allParts[4],
-+    name: allParts[3],
-   };
- };
-
---
-2.31.1
-
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 28a459a..76271b4 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -30,7 +30,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 12
 %global nodejs_minor 22
-%global nodejs_patch 5
+%global nodejs_patch 12
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -57,8 +57,8 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
-%global c_ares_minor 17
-%global c_ares_patch 2
+%global c_ares_minor 18
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # http-parser - from deps/http_parser/http_parser.h
@@ -70,7 +70,7 @@
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
 %global llhttp_minor 1
-%global llhttp_patch 3
+%global llhttp_patch 4
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 14
+%global npm_patch 16
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -174,8 +174,6 @@ Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
 #  https://github.com/nodejs/node/issues/34903
 Patch4: 0004-always-available-fips-options.patch
 
-Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
-
 BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
@@ -467,6 +465,7 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-zlib \
 #           --shared-brotli \
 #           --shared-libuv \
+#           --shared-nghttp2 \
 #           --with-dtrace \
 #           --with-intl=%{icu_flag} \
 #           --with-icu-default-data-dir=%{icudatadir} \
@@ -872,30 +871,37 @@ end
 
 
 %changelog
+* Mon May 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.12-1
+- Resolves: RHBZ#2084651
+- Resolves: #2086773, #2086777, #2086781, #2086786, #2086790
+- Resolves: #2086795, #2086799, #2086804, #2086809, #2086813
+- Rebase to last v12.x release
+- Remove patch for CVE-2021-23343
+
 * Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
 - Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
-- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
-- Resolves RHBZ#1951621 (make FIPS always available)
-- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
-- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
-- Resolves: RHBZ#1993927 (make FIPS always available)
+- Resolves CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
+- Resolves: RHBZ#1951621 (make FIPS always available)
+- Resolves: RHBZ#1988596, RHBZ#1993814, RHBZ#1993808, RHBZ#1993094
+- Resolves: RHBZ#1986742, RHBZ#1993946, RHBZ#1993939, RHBZ#1989426
 
 * Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
 - Resolves CVE-2021-23362 CVE-2021-27290
-- Resolves: RHBZ#1991584, RHBZ#1991578
+- Resolves: RHBZ#1945512, RHBZ#1945286
 - Add missing CVE trackers
 
 * Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
-- Resolves: RHBZ#1980031, RHBZ#1978201
+- Resolves: RHBZ#1979843, RHBZ#1977759
+- Resolves: RHBz#1952915
 - Fix typo, BR systemtap-sdt-level always, remove y18n patch
 
 * Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
-- Resolves: RHBZ#1980031, RHBZ#1978201
-- Resolves #1952915
+- Resolves: RHBZ#1979843, RHBZ#1977759
+- Resolves: RHBz#1952915
 - Resolves CVE-2021-22918(libuv), use system cipher list
 
 * Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
-- Resolves: RHBZ#1932316, RHBZ#1932365
+- Resolves: RHBZ#1934566, RHBZ#1934598
 - remove --debug-nghttp2 option
 - remove ini patch
 - Backport patch to use getauxval