Rebase to 18.14.2, npm@9

Add simduft dependency
2023-03-20 16:17:41 +01:00 · 2023-03-20 16:17:41 +01:00 · f1ac163030
parent 2f3db3db97
commit f1ac163030
5 changed files with 102 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,3 +38,8 @@
 /undici-5.10.0.tar.gz
 /node-v18.12.1-stripped.tar.gz
 /undici-5.11.0.tar.gz
+/node-v18.14.2-stripped.tar.gz
+/icu4c-72_1-src.tgz
+/undici-5.20.0.tar.gz
+/wasi-sdk-wasi-sdk-11.tar.gz
+/wasi-sdk-wasi-sdk-14.tar.gz
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,29 +1,18 @@
-From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
-From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH] Disable running gyp on shared deps
-
-Signed-off-by: rpm-build <rpm-build>
---
- Makefile |  2 +-
- node.gyp | 17 -----------------
- 2 files changed, 1 insertion(+), 18 deletions(-)
-
 diff --git a/Makefile b/Makefile
-index e0d756f..c90bfa7 100644
+index 9401346623..c9d3da24c5 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -147,7 +147,7 @@ with-code-cache test-code-cache:
-	$(warning '$@' target is a noop)
-
+@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
+ 	$(warning '$@' target is a noop)
+ 
 out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
 +	deps/llhttp/llhttp.gyp \
-	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
-	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
-	$(PYTHON) tools/gyp_node.py -f make
+ 	deps/simdutf/simdutf.gyp \
+ 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 diff --git a/node.gyp b/node.gyp
-index 6b3a6d9..5882cef 100644
+index cec24aed03..13af00f40d 100644
 --- a/node.gyp
 +++ b/node.gyp
@@ -429,23 +429,6 @@
@ -41,7 +30,7 @@ index 6b3a6d9..5882cef 100644
 -               'inputs': [ '<(opensslconfig)', ],
 -               'outputs': [ '<(opensslconfig_internal)', ],
 -               'action': [
-                 'python', 'tools/copyfile.py',
+-                 '<(python)', 'tools/copyfile.py',
 -                 '<(opensslconfig)',
 -                 '<(opensslconfig_internal)',
 -               ],
@ -50,6 +39,3 @@ index 6b3a6d9..5882cef 100644
          }],
       ],
     }, # node_core_target_name
--
-2.36.1
-
--- a/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
+++ b/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
@ -0,0 +1,53 @@
+From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
+ stack overflow (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+Resolves: CVE-2022-4904
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/cares/src/lib/ares_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
+index de5d86c..d5858f6 100644
+--- a/deps/cares/src/lib/ares_init.c
+++ b/deps/cares/src/lib/ares_init.c
+@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
+      if (q-str >= 16)
+        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
+          if (q-str >= 32)
+            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+-- 
+2.39.2
+
--- a/nodejs.spec
+++ b/nodejs.spec
@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -40,8 +40,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 12
-%global nodejs_patch 1
+%global nodejs_minor 14
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@ -57,7 +57,7 @@
 %global v8_major 10
 %global v8_minor 2
 %global v8_build 154
-%global v8_patch 15
+%global v8_patch 26
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -71,10 +71,10 @@
 %global llhttp_version 6.0.10

 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.43.0
+%global libuv_version 1.44.2

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.47.0
+%global nghttp2_version 1.51.0

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@ -89,7 +89,7 @@
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 71
+%global icu_major 72
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}

@ -107,6 +107,12 @@
 %global icu_flag full-icu
 %endif

+# simduft from deps/simdutf/simdutf.h
+%global simduft_major 2
+%global simduft_minor 0
+%global simduft_patch 7
+%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
+
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1

@ -117,7 +123,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 8.19.2
+%global npm_version 9.5.0

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -126,7 +132,7 @@
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.13
+%global uvwasi_version 0.0.14

 # histogram_c - assumed from timestamps
 %global histogram_version 0.11.2
@ -169,15 +175,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz

 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.11.0.tar.gz
-# Adjustments: rm -f undici-5.11.0/lib/llhttp/llhttp*.wasm
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
+# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm
 # wasi-sdk version can be found in Dockerfile
 # https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile
-Source102: undici-5.11.0.tar.gz
+Source102: undici-5.20.0.tar.gz
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz

 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch

 BuildRequires: make
 BuildRequires: python3-devel
@ -276,6 +283,7 @@ Provides: bundled(icu) = %{icu_version}
 # or there's no option to built it as a shared dependency, so we bundle them
 Provides: bundled(uvwasi) = %{uvwasi_version}
 Provides: bundled(histogram) = %{histogram_version}
+Provides: bundled(simduft) = %{simduft_version}

 # Make sure we keep NPM up to date when we update Node.js
 Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
@ -578,6 +586,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %doc %{_mandir}/man5/package-json.5*
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
+%doc %{_mandir}/man5/npm-global.5.*
+%doc %{_mandir}/man5/npm-json.5.*
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
@ -599,6 +609,16 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod


 %changelog
+* Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2
+- Provide simduft
+- Resolves: #2159389
+
+* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-1
+- Rebase to 18.14.2
+- Resolves: #2159389
+- Resolves: CVE-2022-25881, CVE-2022-4904, CVE-2023-23936, CVE-2023-24807
+- Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920
+
 * Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.12.1-1
 - Rebase + CVEs
 - Resolves: #2142809
--- a/6
+++ b/6
@ -1,6 +1,6 @@
-SHA512 (node-v18.12.1-stripped.tar.gz) = 83077146308a9f69ae6518309b9bafc4a1b29cd3cb9cd202f034ee764c40283cac9a8f0cf99cb20f265388461b3d5920d0f099b0f506f44b982a7a190bb31d97
-SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
-SHA512 (undici-5.11.0.tar.gz) = 28d13caae0d6fe31136e8ae74e8feb82aadeada01603b1c99d39d97183d5ed2d4594b985150d8e986259081d3dd2a467e47a6d2eb0da185df93376fee114e26a
+SHA512 (node-v18.14.2-stripped.tar.gz) = 54d0b463ee429d62ad81ab6da73ac0076c6f9af8a015b9c0c1bf33aa8dc1f32a105ec269e290390e3dfc4f22f454993f579d584541ba8bfcef5d90359345f8cd
+SHA512 (icu4c-72_1-src.tgz) = 848c341b37c0ff077e34a95d92c6200d5aaddd0ee5e06134101a74e04deb08256a5e817c8aefab020986abe810b7827dd7b2169a60dacd250c298870518dcae8
+SHA512 (undici-5.20.0.tar.gz) = 75a4c164081bbc8114aceeb48680db003cb014d7f92f157d03e9a36c775606a4bede5dbba236ba1722a651ab91968cb192eeae671ec1024f826c4b452d4e20ff
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
 SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997