import nodejs-14.15.4-2.module+el8.3.0+9635+ffdf8381

2021-03-30 15:28:01 -04:00 · 2021-03-30 15:28:01 -04:00 · f064590a86
parent 25b4e9c700
commit f064590a86
7 changed files with 257 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v14.4.0-stripped.tar.gz
+SOURCES/node-v14.15.4-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-c2e32882776f5cb22d297deb023c650d04b32604 SOURCES/node-v14.4.0-stripped.tar.gz
+5defcd39ec57a7d529ae6343b9022f2c0e5e6e5f SOURCES/node-v14.15.4-stripped.tar.gz
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,6 +1,6 @@
-From 65f5eb67f4691ab535cc00240a00bd33efe29969 Mon Sep 17 00:00:00 2001
+From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Thu, 27 Apr 2017 14:25:42 +0200
+Date: Fri, 17 Apr 2020 12:59:44 +0200
 Subject: [PATCH 1/2] Disable running gyp on shared deps

 ---
@ -8,18 +8,22 @@ Subject: [PATCH 1/2] Disable running gyp on shared deps
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Makefile b/Makefile
-index 34cdec7f7767b5152678adaeea10a8cf711fb9a8..3b548907033108831e99e054bc84d3ce91daa25c 100644
+index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
- 	echo "'test-code-cache' target is a noop"
-
+@@ -136,11 +136,11 @@ endif
+ .PHONY: test-code-cache
+ with-code-cache test-code-cache:
+ 	$(warning '$@' target is a noop)
+ 
 out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
-+	deps/uv/uv.gyp deps/llhttp/llhttp.gyp \
+	deps/llhttp/llhttp.gyp \
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make
--
-2.24.1
+ 
+ # node_version.h is listed because the N-API version is taken from there
+-- 
+2.29.2

--- a/SOURCES/0003-yarn-not-installable-on-aarch64.patch
+++ b/SOURCES/0003-yarn-not-installable-on-aarch64.patch
@ -0,0 +1,92 @@
+ From d4d05ceb418c525b0d07e76b81b8694ac2f5b309 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Wed, 16 Sep 2020 06:12:54 +0200
+Subject: [PATCH] [deps] V8: cherry-pick 71736859756b2bd0444bdb0a87a
+
+Original commit message:
+
+   [heap] Add large_object_threshold to AllocateRaw
+
+   This commit adds a check in Heap::AllocateRaw when setting the
+   large_object variable, when the AllocationType is of type kCode, to
+   take into account the size of the CodeSpace's area size.
+
+   The motivation for this change is that without this check it is
+   possible that size_in_bytes is less than 128, and hence not considered
+   a large object, but it might be larger than the available space
+   in code_space->AreaSize(), which will cause the object to be created
+   in the CodeLargeObjectSpace. This will later cause a segmentation fault
+   when calling the following chain of functions:
+
+      if (!large_object) {
+         MemoryChunk::FromHeapObject(heap_object)
+             ->GetCodeObjectRegistry()
+             ->RegisterNewlyAllocatedCodeObject(heap_object.address());
+      }
+
+   We (Red Hat) ran into this issue when running Node.js v12.16.1 in
+   combination with yarn on aarch64 (this was the only architecture that
+   this happed on).
+
+   Bug: v8:10808
+   Change-Id: I0c396b0eb64bc4cc91d9a3be521254f3130eac7b
+   Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2390665
+   Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
+   Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
+   Cr-Commit-Position: refs/heads/master@{#69876}
+
+Refs: https://github.com/v8/v8/commit/71736859756b2bd0444bdb0a87a61a0b090cbba2
+---
+ deps/v8/src/heap/heap-inl.h            | 13 +++--
+ deps/v8/src/heap/heap.h                |  6 ++-
+ 4 files changed, 83 insertions(+), 6 deletions(-)
+
+diff --git a/deps/v8/src/heap/heap-inl.h b/deps/v8/src/heap/heap-inl.h
+index 39f5ec6c66e..b56ebc03d58 100644
+--- a/deps/v8/src/heap/heap-inl.h
+++ b/deps/v8/src/heap/heap-inl.h
+@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
+   IncrementObjectCounters();
+ #endif
+ 
+-  bool large_object = size_in_bytes > kMaxRegularHeapObjectSize;
+  size_t large_object_threshold =
+      AllocationType::kCode == type
+          ? std::min(kMaxRegularHeapObjectSize, code_space()->AreaSize())
+          : kMaxRegularHeapObjectSize;
+  bool large_object =
+      static_cast<size_t>(size_in_bytes) > large_object_threshold;
+ 
+   HeapObject object;
+   AllocationResult allocation;
+@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
+         allocation = old_space_->AllocateRaw(size_in_bytes, alignment, origin);
+       }
+     } else if (AllocationType::kCode == type) {
+-      if (size_in_bytes <= code_space()->AreaSize() && !large_object) {
+-        allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
+-      } else {
+      if (large_object) {
+         allocation = code_lo_space_->AllocateRaw(size_in_bytes);
+      } else {
+        allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
+       }
+     } else if (AllocationType::kMap == type) {
+       allocation = map_space_->AllocateRawUnaligned(size_in_bytes);
+diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h
+index 888d174c02f..0165fa6970f 100644
+--- a/deps/v8/src/heap/heap.h
+++ b/deps/v8/src/heap/heap.h
+@@ -1404,8 +1404,10 @@ class Heap {
+   // Heap object allocation tracking. ==========================================
+   // ===========================================================================
+ 
+-  void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
+-  void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
+  V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker(
+      HeapObjectAllocationTracker* tracker);
+  V8_EXPORT_PRIVATE void RemoveHeapObjectAllocationTracker(
+      HeapObjectAllocationTracker* tracker);
+   bool has_heap_object_allocation_tracker() const {
+     return !allocation_trackers_.empty();
+   }
--- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
+++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
+  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
--- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = {}
+        return
+      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
+      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
+      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+  foo: 'baz',
+  other: {
+    foo: 'asdf',
+  },
+  kid: {
+    foo: {
+      foo: 'kid',
+    },
+  },
+  arrproto: {
+    hello: 'snyk',
+    thanks: true,
+  },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -15,7 +15,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -26,8 +26,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 14
-%global nodejs_minor 4
-%global nodejs_patch 0
+%global nodejs_minor 15
+%global nodejs_patch 4
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -43,9 +43,9 @@
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 2
 %global v8_major 8
-%global v8_minor 1
-%global v8_build 307
-%global v8_patch 31
+%global v8_minor 4
+%global v8_build 371
+%global v8_patch 19
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -55,18 +55,18 @@
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 16
-%global c_ares_patch 0
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}

 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
-%global llhttp_minor 0
-%global llhttp_patch 4
+%global llhttp_minor 1
+%global llhttp_patch 3
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 37
+%global libuv_minor 40
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}

@ -110,13 +110,13 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 5
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 8
+%global uvwasi_patch 11
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}

 # histogram_c - assumed from timestamps
@ -165,6 +165,15 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif

+# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64 
+Patch3: 0003-yarn-not-installable-on-aarch64.patch
+
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
@ -819,6 +828,23 @@ end


 %changelog
+* Tue Jan 26 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-2
+- Add patch for yarn crash
+- Resolves: RHBZ#1916465
+
+* Tue Jan 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-1
+- Security rebase to 14.15.4
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Resolves: RHBZ#1916463, RHBZ#1914788
+- Resolves: RHBZ#1914785, RHBZ#1916387, RHBZ#1916389, RHBZ#1916390, RHBZ#1916690
+
+* Thu Oct 29 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.0-1
+- Update to LTS release
+- Rebase: RHBZ#1891809
+
+* Mon Sep 21 2020 Jan Staněk <jstanek@redhat.com> - 1:14.11.0-1
+- Security update to 14.11.0
+
 * Wed Jun 03 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.4.0-1
 - Security update to 14.4.0
 - Resolves: RHBZ#1815402