From f5f6ea65506a4c7546e8a1c3b7ee53b557aed9ab Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 27 Mar 2024 08:36:40 +0000 Subject: [PATCH] import UBI nodejs-18.19.1-1.module+el9.3.0+21388+22892fb9 --- .gitignore | 4 +- .nodejs.metadata | 4 +- SOURCES/nodejs-fips-disable-options.patch | 76 ++++++++++++++++++++--- SPECS/nodejs.spec | 30 ++++++--- 4 files changed, 93 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index 165727a..5654dce 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-73_2-src.tgz -SOURCES/node-v18.19.0-stripped.tar.gz -SOURCES/undici-5.26.4.tar.gz +SOURCES/node-v18.19.1-stripped.tar.gz +SOURCES/undici-5.28.3.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 1c243d7..ba50b7a 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,5 +1,5 @@ b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz -86902e7f408e3689e3048ae7ec047fb658be6a6e SOURCES/node-v18.19.0-stripped.tar.gz -d1dde2c4db1554f1f152d98f5fed64ea606be946 SOURCES/undici-5.26.4.tar.gz +7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz +b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch index 998fb91..7c4df01 100644 --- a/SOURCES/nodejs-fips-disable-options.patch +++ b/SOURCES/nodejs-fips-disable-options.patch @@ -1,15 +1,75 @@ -FIPS related options cause a segfault, let's end sooner +From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. Upstream report: https://github.com/nodejs/node/pull/48950 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 +Customer case: https://access.redhat.com/support/cases/#/case/03711488 +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) -This patch makes the part of the code that processes cmd-line options for -FIPS to end sooner before the code gets to the problematic part of the code. +diff --git a/lib/crypto.js b/lib/crypto.js +index 41adecc..b2627ac 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,6 +36,9 @@ const { + assertCrypto(); -diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc ---- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 -+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 -@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + } = require('internal/errors').codes; + const constants = internalBinding('constants').crypto; +@@ -251,6 +254,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index a722360..04d8a53 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1060,6 +1060,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + 'Access to this API has been restricted. Permission: %s', + Error); +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -121,6 +121,8 @@ bool ProcessFipsOptions() { /* Override FIPS settings in configuration file, if needed. */ if (per_process::cli_options->enable_fips_crypto || per_process::cli_options->force_fips_crypto) { @@ -18,3 +78,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp #if OPENSSL_VERSION_MAJOR >= 3 OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); if (fips_provider == nullptr) +-- +2.43.2 diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 9e9916a..2af348c 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -41,7 +41,7 @@ %global nodejs_epoch 1 %global nodejs_major 18 %global nodejs_minor 19 -%global nodejs_patch 0 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -68,7 +68,7 @@ %global c_ares_version 1.20.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.0.11 +%global llhttp_version 6.1.0 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.44.2 @@ -110,11 +110,11 @@ # simduft from deps/simdutf/simdutf.h %global simduft_major 3 %global simduft_minor 2 -%global simduft_patch 18 +%global simduft_patch 14 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} # ada from deps/ada/ada.h -%global ada_version 2.7.2 +%global ada_version 2.6.0 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -126,7 +126,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.2.3 +%global npm_version 10.2.4 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -138,7 +138,7 @@ %global uvwasi_version 0.0.19 # histogram_c - assumed from timestamps -%global histogram_version 0.11.2 +%global histogram_version 0.11.8 Name: nodejs Epoch: %{nodejs_epoch} @@ -181,10 +181,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.4.tar.gz -# Adjustments: rm -f undici-5.26.4/lib/llhttp/llhttp*.wasm +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz +# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm # Build uses alpine image, see alpine for sources for wasi-sdk -Source102: undici-5.26.4.tar.gz +Source102: undici-5.28.3.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch @@ -628,9 +628,19 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Thu Feb 29 2024 Lukas Javorsky - 1:18.19.1-1 +- Rebase to version 18.19.1 +- Fix FIPS handling of the cmd-line options (RHBZ#2226726) +- Resolves: RHEL-26695 RHEL-26009 RHEL-26690 + * Thu Jan 18 2024 Jan Staněk - 1:18.19.0-1 - Rebase to version 18.19.0 - Resolves: RHEL-21436 + Resolves: RHEL-21438 + +* Sat Oct 14 2023 Zuzana Svetlikova - 1:18.18.2-1 +- Rebase to 18.18.2 (Security release) +- Switch icu from zip to tgz +- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333 * Wed Aug 23 2023 Jan Staněk - 1:18.17.1-1 - Rebase to version 18.17.1