Compare commits

...

No commits in common. "c8-stream-10" and "c8s-stream-10" have entirely different histories.

4 changed files with 109 additions and 12 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/icu4c-64_2-src.tgz SOURCES/icu4c-64_2-src.tgz
SOURCES/node-v10.24.0-stripped.tar.gz SOURCES/node-v10.23.1-stripped.tar.gz

View File

@ -1,2 +1,2 @@
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz 21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz

View File

@ -0,0 +1,99 @@
From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 8 Dec 2020 14:21:50 -0800
Subject: [PATCH] do not allow invalid hazardous string as section name
Signed-off-by: rpm-build <rpm-build>
---
deps/npm/node_modules/ini/ini.js | 8 +++++
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 deps/npm/node_modules/ini/test/proto.js
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
index 590195d..0401258 100644
--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
@@ -80,6 +80,12 @@ function decode (str) {
if (!match) return
if (match[1] !== undefined) {
section = unsafe(match[1])
+ if (section === '__proto__') {
+ // not allowed
+ // keep parsing the section, but don't attach it.
+ p = {}
+ return
+ }
p = out[section] = out[section] || {}
return
}
@@ -94,6 +100,7 @@ function decode (str) {
// Convert keys with '[]' suffix to an array
if (key.length > 2 && key.slice(-2) === '[]') {
key = key.substring(0, key.length - 2)
+ if (key === '__proto__') return
if (!p[key]) {
p[key] = []
} else if (!Array.isArray(p[key])) {
@@ -125,6 +132,7 @@ function decode (str) {
var l = parts.pop()
var nl = l.replace(/\\\./g, '.')
parts.forEach(function (part, _, __) {
+ if (part === '__proto__') return
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
p = p[part]
})
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
new file mode 100644
index 0000000..ab35533
--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+ foo: 'baz',
+ other: {
+ foo: 'asdf',
+ },
+ kid: {
+ foo: {
+ foo: 'kid',
+ },
+ },
+ arrproto: {
+ hello: 'snyk',
+ thanks: true,
+ },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
--
2.29.2

View File

@ -24,8 +24,8 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 10 %global nodejs_major 10
%global nodejs_minor 24 %global nodejs_minor 23
%global nodejs_patch 0 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 64 %global nodejs_soversion 64
@ -94,7 +94,7 @@
%global npm_epoch 1 %global npm_epoch 1
%global npm_major 6 %global npm_major 6
%global npm_minor 14 %global npm_minor 14
%global npm_patch 11 %global npm_patch 10
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# In order to avoid needing to keep incrementing the release version for the # In order to avoid needing to keep incrementing the release version for the
@ -149,7 +149,9 @@ Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
# CVE-2020-7774 # CVE-2020-7774
Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
BuildRequires: make # CVE-2020-7788
Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
BuildRequires: python2-devel BuildRequires: python2-devel
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -367,6 +369,7 @@ export LDFLAGS="%{build_ldflags}"
--shared-zlib \ --shared-zlib \
--without-dtrace \ --without-dtrace \
--with-intl=small-icu \ --with-intl=small-icu \
--debug-nghttp2 \
--openssl-use-def-ca-store --openssl-use-def-ca-store
%else %else
./configure --prefix=%{_prefix} \ ./configure --prefix=%{_prefix} \
@ -378,6 +381,7 @@ export LDFLAGS="%{build_ldflags}"
--with-dtrace \ --with-dtrace \
--with-intl=small-icu \ --with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \ --with-icu-default-data-dir=%{icudatadir} \
--debug-nghttp2 \
--openssl-use-def-ca-store --openssl-use-def-ca-store
%endif %endif
@ -621,12 +625,6 @@ end
%changelog %changelog
* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
- Resolves: RHBZ#1932373, RHBZ#1932426
- Resolves CVE-2021-22883 and CVE-2021-22884
- remove -debug-nghttp2 flag (1930775)
- remove ini patch merged upstream
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
- January Security release - January Security release
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/