From f62bbd75157a200bf734297aaf97c2fea1d52bff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 8 Dec 2021 06:43:52 +0000 Subject: [PATCH] import nodejs-14.18.2-1.module+el8.5.0+13504+a2e74d91 --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...005-CVE-2021-23343-nodejs-path-parse.patch | 180 ------------------ SPECS/nodejs.spec | 44 +++-- 4 files changed, 26 insertions(+), 202 deletions(-) delete mode 100644 SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch diff --git a/.gitignore b/.gitignore index ef831e8..f881379 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-69_1-src.tgz -SOURCES/node-v14.17.5-stripped.tar.gz +SOURCES/node-v14.18.2-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 7f1e486..6dbf0a6 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz -cdb2e0bdf9693d85a58d7b8576a4595618e0909e SOURCES/node-v14.17.5-stripped.tar.gz +bba4efed29ee2e3e9078b955890d9b68f6750f6a SOURCES/node-v14.18.2-stripped.tar.gz diff --git a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch deleted file mode 100644 index 201721d..0000000 --- a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch +++ /dev/null @@ -1,180 +0,0 @@ -https://github.com/jbgutierrez/path-parse/pull/10 - -From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 10:53:50 -0400 -Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 6 +++--- - deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ - 2 files changed, 23 insertions(+), 3 deletions(-) - create mode 100644 deps/npm/node_modules/path-parse/redos.js - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index 3b7601f..e6b2af1 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; - // Regex to split a windows path into three parts: [*, device, slash, - // tail] windows-only - var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; -+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; - - // Regex to split the tail part of the above into [*, dir, basename, ext] - var splitTailRe = -- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; - - var win32 = {}; - -@@ -51,7 +51,7 @@ win32.parse = function(pathString) { - // Split a filename into [root, dir, basename, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; - var posix = {}; - - -diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js -new file mode 100644 -index 0000000..261947f ---- /dev/null -+++ b/deps/npm/node_modules/path-parse/redos.js -@@ -0,0 +1,20 @@ -+var pathParse = require('.'); -+ -+function build_attack(n) { -+ var ret = "" -+ for (var i = 0; i < n; i++) { -+ ret += "/" -+ } -+ return ret + "◎"; -+} -+ -+for(var i = 1; i <= 5000000; i++) { -+ if (i % 10000 == 0) { -+ var time = Date.now(); -+ var attack_str = build_attack(i) -+ pathParse.posix(attack_str); -+ pathParse.win32(attack_str); -+ var time_cost = Date.now() - time; -+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") -+ } -+} --- -2.31.1 - - -From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001 -From: Jeffrey Pinyan -Date: Thu, 13 May 2021 11:51:45 -0400 -Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns - -Signed-off-by: rpm-build ---- - deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- - 1 file changed, 17 insertions(+), 35 deletions(-) - -diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js -index e6b2af1..f062d0a 100644 ---- a/deps/npm/node_modules/path-parse/index.js -+++ b/deps/npm/node_modules/path-parse/index.js -@@ -2,29 +2,14 @@ - - var isWindows = process.platform === 'win32'; - --// Regex to split a windows path into three parts: [*, device, slash, --// tail] windows-only --var splitDeviceRe = -- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; -- --// Regex to split the tail part of the above into [*, dir, basename, ext] --var splitTailRe = -- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; -+// Regex to split a windows path into into [dir, root, basename, name, ext] -+var splitWindowsRe = -+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; - - var win32 = {}; - --// Function to split a filename into [root, dir, basename, ext] - function win32SplitPath(filename) { -- // Separate device+slash from tail -- var result = splitDeviceRe.exec(filename), -- device = (result[1] || '') + (result[2] || ''), -- tail = result[3] || ''; -- // Split the tail into dir, basename and extension -- var result2 = splitTailRe.exec(tail), -- dir = result2[1], -- basename = result2[2], -- ext = result2[3]; -- return [device, dir, basename, ext]; -+ return splitWindowsRe.exec(filename).slice(1); - } - - win32.parse = function(pathString) { -@@ -34,24 +19,24 @@ win32.parse = function(pathString) { - ); - } - var allParts = win32SplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3] - }; - }; - - - --// Split a filename into [root, dir, basename, ext], unix version -+// Split a filename into [dir, root, basename, name, ext], unix version - // 'root' is just a slash, or nothing. - var splitPathRe = -- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; -+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; - var posix = {}; - - -@@ -67,19 +52,16 @@ posix.parse = function(pathString) { - ); - } - var allParts = posixSplitPath(pathString); -- if (!allParts || allParts.length !== 4) { -+ if (!allParts || allParts.length !== 5) { - throw new TypeError("Invalid path '" + pathString + "'"); - } -- allParts[1] = allParts[1] || ''; -- allParts[2] = allParts[2] || ''; -- allParts[3] = allParts[3] || ''; -- -+ - return { -- root: allParts[0], -- dir: allParts[0] + allParts[1].slice(0, -1), -+ root: allParts[1], -+ dir: allParts[0].slice(0, -1), - base: allParts[2], -- ext: allParts[3], -- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) -+ ext: allParts[4], -+ name: allParts[3], - }; - }; - --- -2.31.1 - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 2d55f11..972efc3 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -26,8 +26,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 14 -%global nodejs_minor 17 -%global nodejs_patch 5 +%global nodejs_minor 18 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -54,19 +54,19 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 +%global c_ares_minor 18 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 2 %global llhttp_minor 1 -%global llhttp_patch 3 +%global llhttp_patch 4 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 -%global libuv_minor 41 +%global libuv_minor 42 %global libuv_patch 0 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} @@ -110,7 +110,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 14 +%global npm_patch 15 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -169,8 +169,6 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch # https://github.com/nodejs/node/issues/34903 Patch3: 0004-always-available-fips-options.patch -Patch4: 0005-CVE-2021-23343-nodejs-path-parse.patch - BuildRequires: make BuildRequires: python3-devel BuildRequires: zlib-devel @@ -395,7 +393,6 @@ rm -rf deps/brotli pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \; find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \; -sed -i "s~python~python3~" $(find . -type f | grep "gyp$") sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py find . -type f -exec sed -i "s~python -c~python3 -c~" {} \; @@ -411,6 +408,7 @@ find . -type f -exec sed -i "s~python -c~python3 -c~" {} \; export CC='gcc' export CXX='g++' +%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}} # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on @@ -828,27 +826,32 @@ end %changelog +* Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 +- Resolves: RHBZ#2027609 +- Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635 +- Rebase to new version to fix CVEs + * Tue Aug 17 2021 Zuzana Svetlikova - 1:14.17.5-1 - Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, - CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 - Resolves RHBZ#1847529 (make FIPS always available) -- Resolves: RHBZ#1988599, RHBZ#1994000, RHBZ#1993998, RHBZ#1993095 -- Resolves: RHBZ#1994028, RHBZ#1994402, RHBZ#1994406, RHBZ#1994398 -- Resolves: RHBZ#1993924 (make FIPS always available) +- Resolves: RHBZ#1988600, RHBZ#1993815, RHBZ#1993809, RHBZ#1993096 +- Resolves: RHBZ#1986743, RHBZ#1993947, RHBZ#1993940, RHBZ#1989427 +- Resolves: RHBZ#1951620 (make FIPS always available) * Mon Aug 09 2021 Zuzana Svetlikova - 1:14.17.3-3 -- Resolves: RHBZ#1991584, RHBZ#1991578 +- Resolves: RHBZ#1945513, RHBZ#1945287 - Resolves CVE-2021-23362 CVE-2021-27290 - Bump for missing mentions of CVEs * Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-2 -- Resolves: RHBZ#1980032, RHBZ#1978203 -- Resolves RHBZ#1842826 +- Resolves: RHBZ#1979844, RHBZ#1977829 +- Resolves: RHBZ#1842826 - Don't use patch3 * Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-1 -- Resolves: RHBZ#1980032, RHBZ#1978203 -- Resolves RHBZ#1842826 +- Resolves: RHBZ#1979844, RHBZ#1977829 +- Resolves: RHBZ#1842826 - Resolves CVE-2021-22918(libuv), use system cipher list * Wed Mar 10 2021 Zuzana Svetlikova - 1:14.16.0-3 @@ -856,11 +859,12 @@ end - Always build with systemtap * Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-2 -- Resolves: RHBZ#1930775 +- Resolves RHBZ#1930775 - remove --debug-nghttp2 option * Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-1 -- Resolves: RHBZ#1932318, RHBZ#1932366 +- Resolves CVE-2021-22883 CVE-2021-22884 +- Resolves: RHBZ#1934566, RHBZ#1934599 - Rebase, remove ini patch * Tue Jan 26 2021 Zuzana Svetlikova - 1:14.15.4-2