import nodejs-14.18.2-1.module+el8.5.0+13504+a2e74d91

This commit is contained in:
CentOS Sources 2021-12-08 06:43:52 +00:00 committed by Stepan Oksanichenko
parent 076165d65d
commit f62bbd7515
4 changed files with 26 additions and 202 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-69_1-src.tgz
SOURCES/node-v14.17.5-stripped.tar.gz
SOURCES/node-v14.18.2-stripped.tar.gz

View File

@ -1,2 +1,2 @@
620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz
cdb2e0bdf9693d85a58d7b8576a4595618e0909e SOURCES/node-v14.17.5-stripped.tar.gz
bba4efed29ee2e3e9078b955890d9b68f6750f6a SOURCES/node-v14.18.2-stripped.tar.gz

View File

@ -1,180 +0,0 @@
https://github.com/jbgutierrez/path-parse/pull/10
From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
Date: Thu, 13 May 2021 10:53:50 -0400
Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/path-parse/index.js | 6 +++---
deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
create mode 100644 deps/npm/node_modules/path-parse/redos.js
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
index 3b7601f..e6b2af1 100644
--- a/deps/npm/node_modules/path-parse/index.js
+++ b/deps/npm/node_modules/path-parse/index.js
@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
// Regex to split a windows path into three parts: [*, device, slash,
// tail] windows-only
var splitDeviceRe =
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
+ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
// Regex to split the tail part of the above into [*, dir, basename, ext]
var splitTailRe =
- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
+ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
var win32 = {};
@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
// Split a filename into [root, dir, basename, ext], unix version
// 'root' is just a slash, or nothing.
var splitPathRe =
- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
+ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
var posix = {};
diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
new file mode 100644
index 0000000..261947f
--- /dev/null
+++ b/deps/npm/node_modules/path-parse/redos.js
@@ -0,0 +1,20 @@
+var pathParse = require('.');
+
+function build_attack(n) {
+ var ret = ""
+ for (var i = 0; i < n; i++) {
+ ret += "/"
+ }
+ return ret + "◎";
+}
+
+for(var i = 1; i <= 5000000; i++) {
+ if (i % 10000 == 0) {
+ var time = Date.now();
+ var attack_str = build_attack(i)
+ pathParse.posix(attack_str);
+ pathParse.win32(attack_str);
+ var time_cost = Date.now() - time;
+ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
+ }
+}
--
2.31.1
From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001
From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
Date: Thu, 13 May 2021 11:51:45 -0400
Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
1 file changed, 17 insertions(+), 35 deletions(-)
diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
index e6b2af1..f062d0a 100644
--- a/deps/npm/node_modules/path-parse/index.js
+++ b/deps/npm/node_modules/path-parse/index.js
@@ -2,29 +2,14 @@
var isWindows = process.platform === 'win32';
-// Regex to split a windows path into three parts: [*, device, slash,
-// tail] windows-only
-var splitDeviceRe =
- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
-
-// Regex to split the tail part of the above into [*, dir, basename, ext]
-var splitTailRe =
- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
+// Regex to split a windows path into into [dir, root, basename, name, ext]
+var splitWindowsRe =
+ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
var win32 = {};
-// Function to split a filename into [root, dir, basename, ext]
function win32SplitPath(filename) {
- // Separate device+slash from tail
- var result = splitDeviceRe.exec(filename),
- device = (result[1] || '') + (result[2] || ''),
- tail = result[3] || '';
- // Split the tail into dir, basename and extension
- var result2 = splitTailRe.exec(tail),
- dir = result2[1],
- basename = result2[2],
- ext = result2[3];
- return [device, dir, basename, ext];
+ return splitWindowsRe.exec(filename).slice(1);
}
win32.parse = function(pathString) {
@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
);
}
var allParts = win32SplitPath(pathString);
- if (!allParts || allParts.length !== 4) {
+ if (!allParts || allParts.length !== 5) {
throw new TypeError("Invalid path '" + pathString + "'");
}
return {
- root: allParts[0],
- dir: allParts[0] + allParts[1].slice(0, -1),
+ root: allParts[1],
+ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
base: allParts[2],
- ext: allParts[3],
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
+ ext: allParts[4],
+ name: allParts[3]
};
};
-// Split a filename into [root, dir, basename, ext], unix version
+// Split a filename into [dir, root, basename, name, ext], unix version
// 'root' is just a slash, or nothing.
var splitPathRe =
- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
+ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
var posix = {};
@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
);
}
var allParts = posixSplitPath(pathString);
- if (!allParts || allParts.length !== 4) {
+ if (!allParts || allParts.length !== 5) {
throw new TypeError("Invalid path '" + pathString + "'");
}
- allParts[1] = allParts[1] || '';
- allParts[2] = allParts[2] || '';
- allParts[3] = allParts[3] || '';
-
+
return {
- root: allParts[0],
- dir: allParts[0] + allParts[1].slice(0, -1),
+ root: allParts[1],
+ dir: allParts[0].slice(0, -1),
base: allParts[2],
- ext: allParts[3],
- name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
+ ext: allParts[4],
+ name: allParts[3],
};
};
--
2.31.1

View File

@ -26,8 +26,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 14
%global nodejs_minor 17
%global nodejs_patch 5
%global nodejs_minor 18
%global nodejs_patch 2
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -54,19 +54,19 @@
# c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332
%global c_ares_major 1
%global c_ares_minor 17
%global c_ares_patch 2
%global c_ares_minor 18
%global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_major 2
%global llhttp_minor 1
%global llhttp_patch 3
%global llhttp_patch 4
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
%global libuv_minor 41
%global libuv_minor 42
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@ -110,7 +110,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
%global npm_patch 14
%global npm_patch 15
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@ -169,8 +169,6 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch
# https://github.com/nodejs/node/issues/34903
Patch3: 0004-always-available-fips-options.patch
Patch4: 0005-CVE-2021-23343-nodejs-path-parse.patch
BuildRequires: make
BuildRequires: python3-devel
BuildRequires: zlib-devel
@ -395,7 +393,6 @@ rm -rf deps/brotli
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
sed -i "s~python~python3~" $(find . -type f | grep "gyp$")
sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
@ -411,6 +408,7 @@ find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
export CC='gcc'
export CXX='g++'
%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}
# build with debugging symbols and add defines from libuv (#892601)
# Node's v8 breaks with GCC 6 because of incorrect usage of methods on
@ -828,27 +826,32 @@ end
%changelog
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
- Resolves: RHBZ#2027609
- Resolves: RHBZ#2027649, RHBZ#2027646, RHBZ#2027642, RHBZ#2027635
- Rebase to new version to fix CVEs
* Tue Aug 17 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.5-1
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves RHBZ#1847529 (make FIPS always available)
- Resolves: RHBZ#1988599, RHBZ#1994000, RHBZ#1993998, RHBZ#1993095
- Resolves: RHBZ#1994028, RHBZ#1994402, RHBZ#1994406, RHBZ#1994398
- Resolves: RHBZ#1993924 (make FIPS always available)
- Resolves: RHBZ#1988600, RHBZ#1993815, RHBZ#1993809, RHBZ#1993096
- Resolves: RHBZ#1986743, RHBZ#1993947, RHBZ#1993940, RHBZ#1989427
- Resolves: RHBZ#1951620 (make FIPS always available)
* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-3
- Resolves: RHBZ#1991584, RHBZ#1991578
- Resolves: RHBZ#1945513, RHBZ#1945287
- Resolves CVE-2021-23362 CVE-2021-27290
- Bump for missing mentions of CVEs
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-2
- Resolves: RHBZ#1980032, RHBZ#1978203
- Resolves RHBZ#1842826
- Resolves: RHBZ#1979844, RHBZ#1977829
- Resolves: RHBZ#1842826
- Don't use patch3
* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.17.3-1
- Resolves: RHBZ#1980032, RHBZ#1978203
- Resolves RHBZ#1842826
- Resolves: RHBZ#1979844, RHBZ#1977829
- Resolves: RHBZ#1842826
- Resolves CVE-2021-22918(libuv), use system cipher list
* Wed Mar 10 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-3
@ -856,11 +859,12 @@ end
- Always build with systemtap
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-2
- Resolves: RHBZ#1930775
- Resolves RHBZ#1930775
- remove --debug-nghttp2 option
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-1
- Resolves: RHBZ#1932318, RHBZ#1932366
- Resolves CVE-2021-22883 CVE-2021-22884
- Resolves: RHBZ#1934566, RHBZ#1934599
- Rebase, remove ini patch
* Tue Jan 26 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-2