import nodejs-12.22.12-1.module+el8.6.0+15324+1f2c5d8d
This commit is contained in:
parent
f1bbfe7449
commit
ea52153f16
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
|||||||
SOURCES/icu4c-67_1-src.tgz
|
SOURCES/icu4c-67_1-src.tgz
|
||||||
SOURCES/node-v12.22.5-stripped.tar.gz
|
SOURCES/node-v12.22.12-stripped.tar.gz
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
|
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
|
||||||
bb98afb22215e659a77853964f7575da6b1535e3 SOURCES/node-v12.22.5-stripped.tar.gz
|
49c907b1445701724914a0571bf6be62a25583af SOURCES/node-v12.22.12-stripped.tar.gz
|
||||||
|
@ -1,180 +0,0 @@
|
|||||||
https://github.com/jbgutierrez/path-parse/pull/10
|
|
||||||
|
|
||||||
From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
|
|
||||||
Date: Thu, 13 May 2021 10:53:50 -0400
|
|
||||||
Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/npm/node_modules/path-parse/index.js | 6 +++---
|
|
||||||
deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
|
|
||||||
2 files changed, 23 insertions(+), 3 deletions(-)
|
|
||||||
create mode 100644 deps/npm/node_modules/path-parse/redos.js
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
|
|
||||||
index 3b7601f..e6b2af1 100644
|
|
||||||
--- a/deps/npm/node_modules/path-parse/index.js
|
|
||||||
+++ b/deps/npm/node_modules/path-parse/index.js
|
|
||||||
@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
|
|
||||||
// Regex to split a windows path into three parts: [*, device, slash,
|
|
||||||
// tail] windows-only
|
|
||||||
var splitDeviceRe =
|
|
||||||
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
|
|
||||||
+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
|
|
||||||
|
|
||||||
// Regex to split the tail part of the above into [*, dir, basename, ext]
|
|
||||||
var splitTailRe =
|
|
||||||
- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
|
||||||
+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
|
||||||
|
|
||||||
var win32 = {};
|
|
||||||
|
|
||||||
@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
|
|
||||||
// Split a filename into [root, dir, basename, ext], unix version
|
|
||||||
// 'root' is just a slash, or nothing.
|
|
||||||
var splitPathRe =
|
|
||||||
- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
|
||||||
+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
|
||||||
var posix = {};
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..261947f
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/deps/npm/node_modules/path-parse/redos.js
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+var pathParse = require('.');
|
|
||||||
+
|
|
||||||
+function build_attack(n) {
|
|
||||||
+ var ret = ""
|
|
||||||
+ for (var i = 0; i < n; i++) {
|
|
||||||
+ ret += "/"
|
|
||||||
+ }
|
|
||||||
+ return ret + "◎";
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+for(var i = 1; i <= 5000000; i++) {
|
|
||||||
+ if (i % 10000 == 0) {
|
|
||||||
+ var time = Date.now();
|
|
||||||
+ var attack_str = build_attack(i)
|
|
||||||
+ pathParse.posix(attack_str);
|
|
||||||
+ pathParse.win32(attack_str);
|
|
||||||
+ var time_cost = Date.now() - time;
|
|
||||||
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
||||||
|
|
||||||
From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
|
|
||||||
Date: Thu, 13 May 2021 11:51:45 -0400
|
|
||||||
Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
|
|
||||||
1 file changed, 17 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
|
|
||||||
index e6b2af1..f062d0a 100644
|
|
||||||
--- a/deps/npm/node_modules/path-parse/index.js
|
|
||||||
+++ b/deps/npm/node_modules/path-parse/index.js
|
|
||||||
@@ -2,29 +2,14 @@
|
|
||||||
|
|
||||||
var isWindows = process.platform === 'win32';
|
|
||||||
|
|
||||||
-// Regex to split a windows path into three parts: [*, device, slash,
|
|
||||||
-// tail] windows-only
|
|
||||||
-var splitDeviceRe =
|
|
||||||
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
|
|
||||||
-
|
|
||||||
-// Regex to split the tail part of the above into [*, dir, basename, ext]
|
|
||||||
-var splitTailRe =
|
|
||||||
- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
|
|
||||||
+// Regex to split a windows path into into [dir, root, basename, name, ext]
|
|
||||||
+var splitWindowsRe =
|
|
||||||
+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
|
|
||||||
|
|
||||||
var win32 = {};
|
|
||||||
|
|
||||||
-// Function to split a filename into [root, dir, basename, ext]
|
|
||||||
function win32SplitPath(filename) {
|
|
||||||
- // Separate device+slash from tail
|
|
||||||
- var result = splitDeviceRe.exec(filename),
|
|
||||||
- device = (result[1] || '') + (result[2] || ''),
|
|
||||||
- tail = result[3] || '';
|
|
||||||
- // Split the tail into dir, basename and extension
|
|
||||||
- var result2 = splitTailRe.exec(tail),
|
|
||||||
- dir = result2[1],
|
|
||||||
- basename = result2[2],
|
|
||||||
- ext = result2[3];
|
|
||||||
- return [device, dir, basename, ext];
|
|
||||||
+ return splitWindowsRe.exec(filename).slice(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
win32.parse = function(pathString) {
|
|
||||||
@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
|
|
||||||
);
|
|
||||||
}
|
|
||||||
var allParts = win32SplitPath(pathString);
|
|
||||||
- if (!allParts || allParts.length !== 4) {
|
|
||||||
+ if (!allParts || allParts.length !== 5) {
|
|
||||||
throw new TypeError("Invalid path '" + pathString + "'");
|
|
||||||
}
|
|
||||||
return {
|
|
||||||
- root: allParts[0],
|
|
||||||
- dir: allParts[0] + allParts[1].slice(0, -1),
|
|
||||||
+ root: allParts[1],
|
|
||||||
+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
|
|
||||||
base: allParts[2],
|
|
||||||
- ext: allParts[3],
|
|
||||||
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
|
|
||||||
+ ext: allParts[4],
|
|
||||||
+ name: allParts[3]
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
-// Split a filename into [root, dir, basename, ext], unix version
|
|
||||||
+// Split a filename into [dir, root, basename, name, ext], unix version
|
|
||||||
// 'root' is just a slash, or nothing.
|
|
||||||
var splitPathRe =
|
|
||||||
- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
|
|
||||||
+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
|
|
||||||
var posix = {};
|
|
||||||
|
|
||||||
|
|
||||||
@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
|
|
||||||
);
|
|
||||||
}
|
|
||||||
var allParts = posixSplitPath(pathString);
|
|
||||||
- if (!allParts || allParts.length !== 4) {
|
|
||||||
+ if (!allParts || allParts.length !== 5) {
|
|
||||||
throw new TypeError("Invalid path '" + pathString + "'");
|
|
||||||
}
|
|
||||||
- allParts[1] = allParts[1] || '';
|
|
||||||
- allParts[2] = allParts[2] || '';
|
|
||||||
- allParts[3] = allParts[3] || '';
|
|
||||||
-
|
|
||||||
+
|
|
||||||
return {
|
|
||||||
- root: allParts[0],
|
|
||||||
- dir: allParts[0] + allParts[1].slice(0, -1),
|
|
||||||
+ root: allParts[1],
|
|
||||||
+ dir: allParts[0].slice(0, -1),
|
|
||||||
base: allParts[2],
|
|
||||||
- ext: allParts[3],
|
|
||||||
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
|
|
||||||
+ ext: allParts[4],
|
|
||||||
+ name: allParts[3],
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -30,7 +30,7 @@
|
|||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 12
|
%global nodejs_major 12
|
||||||
%global nodejs_minor 22
|
%global nodejs_minor 22
|
||||||
%global nodejs_patch 5
|
%global nodejs_patch 12
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
%if %{?with_libs} == 1
|
%if %{?with_libs} == 1
|
||||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||||
@ -57,8 +57,8 @@
|
|||||||
# c-ares - from deps/cares/include/ares_version.h
|
# c-ares - from deps/cares/include/ares_version.h
|
||||||
# https://github.com/nodejs/node/pull/9332
|
# https://github.com/nodejs/node/pull/9332
|
||||||
%global c_ares_major 1
|
%global c_ares_major 1
|
||||||
%global c_ares_minor 17
|
%global c_ares_minor 18
|
||||||
%global c_ares_patch 2
|
%global c_ares_patch 1
|
||||||
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
|
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
|
||||||
|
|
||||||
# http-parser - from deps/http_parser/http_parser.h
|
# http-parser - from deps/http_parser/http_parser.h
|
||||||
@ -70,7 +70,7 @@
|
|||||||
# llhttp - from deps/llhttp/include/llhttp.h
|
# llhttp - from deps/llhttp/include/llhttp.h
|
||||||
%global llhttp_major 2
|
%global llhttp_major 2
|
||||||
%global llhttp_minor 1
|
%global llhttp_minor 1
|
||||||
%global llhttp_patch 3
|
%global llhttp_patch 4
|
||||||
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
|
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
|
||||||
|
|
||||||
# libuv - from deps/uv/include/uv/version.h
|
# libuv - from deps/uv/include/uv/version.h
|
||||||
@ -106,7 +106,7 @@
|
|||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_major 6
|
%global npm_major 6
|
||||||
%global npm_minor 14
|
%global npm_minor 14
|
||||||
%global npm_patch 14
|
%global npm_patch 16
|
||||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||||
|
|
||||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||||
@ -174,8 +174,6 @@ Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
|
|||||||
# https://github.com/nodejs/node/issues/34903
|
# https://github.com/nodejs/node/issues/34903
|
||||||
Patch4: 0004-always-available-fips-options.patch
|
Patch4: 0004-always-available-fips-options.patch
|
||||||
|
|
||||||
Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
|
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python2-devel
|
BuildRequires: python2-devel
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
@ -467,6 +465,7 @@ export LDFLAGS="%{build_ldflags}"
|
|||||||
# --shared-zlib \
|
# --shared-zlib \
|
||||||
# --shared-brotli \
|
# --shared-brotli \
|
||||||
# --shared-libuv \
|
# --shared-libuv \
|
||||||
|
# --shared-nghttp2 \
|
||||||
# --with-dtrace \
|
# --with-dtrace \
|
||||||
# --with-intl=%{icu_flag} \
|
# --with-intl=%{icu_flag} \
|
||||||
# --with-icu-default-data-dir=%{icudatadir} \
|
# --with-icu-default-data-dir=%{icudatadir} \
|
||||||
@ -872,30 +871,37 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.12-1
|
||||||
|
- Resolves: RHBZ#2084651
|
||||||
|
- Resolves: #2086773, #2086777, #2086781, #2086786, #2086790
|
||||||
|
- Resolves: #2086795, #2086799, #2086804, #2086809, #2086813
|
||||||
|
- Rebase to last v12.x release
|
||||||
|
- Remove patch for CVE-2021-23343
|
||||||
|
|
||||||
* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
|
* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
|
||||||
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
|
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
|
||||||
- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
|
- Resolves CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
|
||||||
- Resolves RHBZ#1951621 (make FIPS always available)
|
- Resolves: RHBZ#1951621 (make FIPS always available)
|
||||||
- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
|
- Resolves: RHBZ#1988596, RHBZ#1993814, RHBZ#1993808, RHBZ#1993094
|
||||||
- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
|
- Resolves: RHBZ#1986742, RHBZ#1993946, RHBZ#1993939, RHBZ#1989426
|
||||||
- Resolves: RHBZ#1993927 (make FIPS always available)
|
|
||||||
|
|
||||||
* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
|
* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
|
||||||
- Resolves CVE-2021-23362 CVE-2021-27290
|
- Resolves CVE-2021-23362 CVE-2021-27290
|
||||||
- Resolves: RHBZ#1991584, RHBZ#1991578
|
- Resolves: RHBZ#1945512, RHBZ#1945286
|
||||||
- Add missing CVE trackers
|
- Add missing CVE trackers
|
||||||
|
|
||||||
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
|
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
|
||||||
- Resolves: RHBZ#1980031, RHBZ#1978201
|
- Resolves: RHBZ#1979843, RHBZ#1977759
|
||||||
|
- Resolves: RHBz#1952915
|
||||||
- Fix typo, BR systemtap-sdt-level always, remove y18n patch
|
- Fix typo, BR systemtap-sdt-level always, remove y18n patch
|
||||||
|
|
||||||
* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
|
* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
|
||||||
- Resolves: RHBZ#1980031, RHBZ#1978201
|
- Resolves: RHBZ#1979843, RHBZ#1977759
|
||||||
- Resolves #1952915
|
- Resolves: RHBz#1952915
|
||||||
- Resolves CVE-2021-22918(libuv), use system cipher list
|
- Resolves CVE-2021-22918(libuv), use system cipher list
|
||||||
|
|
||||||
* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
|
* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
|
||||||
- Resolves: RHBZ#1932316, RHBZ#1932365
|
- Resolves: RHBZ#1934566, RHBZ#1934598
|
||||||
- remove --debug-nghttp2 option
|
- remove --debug-nghttp2 option
|
||||||
- remove ini patch
|
- remove ini patch
|
||||||
- Backport patch to use getauxval
|
- Backport patch to use getauxval
|
||||||
|
Loading…
Reference in New Issue
Block a user